Uploaded image for project: 'Artifactory Binary Repository'
  1. Artifactory Binary Repository
  2. RTFACT-22824

Non UI Authentication cache should work for all docker requests



    • Type: Improvement
    • Status: Reopened
    • Priority: 4 - Normal
    • Resolution: Unresolved
    • Affects Version/s: 6.20.0
    • Fix Version/s: None
    • Component/s: None
    • Labels:


      Problem description:
      The non UI auth cache (https://www.jfrog.com/confluence/display/JFROG/LDAP#LDAP-Non-UIAuthenticationCache) doesn't work for docker requests when using basic auth.

      The issue occurs for all docker requests, whether it be for the manifest or the layers. This is due to caching being enabled only with requests that are based off a docker token. The docker client (or a smart remote repo with token based auth enabled) always goes to v2/token as a first request, upon every command (pull,push,etc) and then uses the retrieved token for all subsequent requests to artifactory for the same purpose (i.e all layers pulled by the same docker pull request).

      What is the expected behavior?
      -all docker API authentication requests are cached all the time

      Steps to reproduce:
      -enable ldap debug logs

      -try to resolve the manifest/layer via curl multiple times:  RESTRICTED_URL'S

      -notice in ldap debug logs that there is a cached key entry, yet it still reaches out to ldap. Behavior occurs for both internal and LDAP users

      2020-07-09 18:07:38,971 [http-nio-8081-exec-8] [DEBUG] (o.a.w.s.AccessFilter:329) - Cached key has been found for request: '/artifactory/api/docker/docker-local/v2/busybox/blobs/sha256:91f30d776fb27944b3febb64600db83a880fb4af3f55442f3ad5ee1a786295bf' with method: 'GET'
      2020-07-09 18:07:38,972 [http-nio-8081-exec-8] [DEBUG] (o.a.s.l.ArtifactoryLdapAuthenticationProvider:148) - Trying to authenticate user: 'admin' via ldap.
      2020-07-09 18:07:38,977 [http-nio-8081-exec-8] [DEBUG] (o.a.s.l.ArtifactoryBindAuthenticator:153) - Searching for user: '[ searchFilter: '(uid={0})', searchBase: 'ou=users', scope: subtree, searchTimeLimit: 0, derefLinkFlag: false ]' failed for admin: The user: 'admin' not found in directory.
      2020-07-09 18:07:38,977 [http-nio-8081-exec-8] [DEBUG] (o.a.s.l.ArtifactoryBindAuthenticator:170) - The user: 'admin' can't be found in LDAP search
      2020-07-09 18:08:17,172 [http-nio-8081-exec-4] [DEBUG] (o.a.w.s.AccessFilter:329) - Cached key has been found for request: '/artifactory/api/docker/docker-local/v2/busybox/blobs/sha256:91f30d776fb27944b3febb64600db83a880fb4af3f55442f3ad5ee1a786295bf' with method: 'GET'
      2020-07-09 18:08:17,174 [http-nio-8081-exec-4] [DEBUG] (o.a.s.l.ArtifactoryLdapAuthenticationProvider:148) - Trying to authenticate user: 'tuser' via ldap.
      2020-07-09 18:08:17,187 [http-nio-8081-exec-4] [DEBUG] (o.a.s.l.ArtifactoryBindAuthenticator:187) - Attempting to bind as cn=tuser,ou=users,dc=example,dc=org
      2020-07-09 18:08:17,188 [http-nio-8081-exec-4] [DEBUG] (o.s.s.l.DefaultSpringSecurityContextSource:100) - Removing pooling flag for user cn=tuser,ou=users,dc=example,dc=org
      2020-07-09 18:08:17,194 [http-nio-8081-exec-4] [DEBUG] (o.a.s.l.ArtifactoryBindAuthenticator:222) - Retrieving attributes...
      2020-07-09 18:08:17,196 [http-nio-8081-exec-4] [DEBUG] (o.a.s.l.ArtifactoryLdapAuthenticationProvider:185) - 'tuser' authenticated successfully by ldap server.


          Issue Links



              mattheww Matthew Wang
              1 Vote for this issue
              4 Start watching this issue



                  Sync Status

                  Connection: RTFACT Sync
                  RTMID-22824 -
                  • Last Sync Date: