Uploaded image for project: 'Artifactory Binary Repository'
  1. Artifactory Binary Repository
  2. RTFACT-18781

Build promotion shouldn't require build delete permission



    • Regression:


      Symptoms: After upgrading Artifactory, users can no longer promote builds.

      Steps to reproduce:

      1. Grant a regular Artifactory user the following permission set:
        For: All builds, relevant artifact repository

      Artifacts: Read, Annotate, Write 
      Builds: Read, Annotate, Write (not delete)

      1. Deploy a build as the regular user
      2. Attempt to promote the build with the same user
      3. Encounter a 403 Forbidden:

      curl -H"Content-type: Application/json" -ufrank:password -vv -XPOST --data @promo.json http://localhost:8081/artifactory/api/build/promote/maven-pipeline/2

      < HTTP/1.1 403 Forbidden
      < Server: Artifactory/6.7.0
      < X-Artifactory-Id: 4bffa16f00b34ba4:-6dd42b03:1697a60e3eb:-8000
      < Content-Type: application/json
      < Transfer-Encoding: chunked
      < Date: Fri, 15 Mar 2019 17:03:04 GMT
      "errors" : [

      { "status" : 403, "message" : "User 'frank' is not authorized to delete build info. Delete permission is needed." }




      { "status":"staged", "timestamp":"2019-02-11T18:30:24.825+0200", "targetRepo":"libs-release-local", "copy":"true" }

      The exact same steps in Artifactory 6.5.9 and below succeed. This looks to be due to the new BuildInfo permission set, which treats the buildinfo.json as a file instead of metadata.


      Promotions do add additional information to the deployed JSON, which counts as an "overwrite." However, granting the "delete/overwrite" build permission allows users to both promote builds and delete other builds.

      In earlier versions, only Artifactory Admins could delete builds, but any user could run a promotion. In earlier versions only "artifact deploy" access was needed to promote (To move artifacts from one repo to another).

      If users want to maintain earlier Artifactory behavior, they must now choose either to allow broad delete access on builds or limit who can promote builds. Neither are ideal from an administration perspective.


      Artifactory should allow regular users to promote builds without granting them "delete builds" access. This would allow users with many build deployers to easily maintain their promotion pipeline securely without overhauling their entire Artifactory permission set.


        1. 6.5.9-RTFACT18781.png
          62 kB
          Patrick Russell
        2. Screen Shot 2019-03-15 at 10.46.32 AM.png
          39 kB
          Patrick Russell

          Issue Links



              yuvalr Yuval Reches
              patrickr Patrick Russell
              4 Vote for this issue
              10 Start watching this issue