Uploaded image for project: 'Artifactory Binary Repository'
  1. Artifactory Binary Repository
  2. RTFACT-22824

Non UI Authentication cache should work for all docker requests

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Reopened
    • Priority: 4 - Normal
    • Resolution: Unresolved
    • Affects Version/s: 6.20.0
    • Fix Version/s: None
    • Component/s: None
    • Labels:
      None

      Description

      Problem description:
      The non UI auth cache (https://www.jfrog.com/confluence/display/JFROG/LDAP#LDAP-Non-UIAuthenticationCache) doesn't work for docker requests when using basic auth.

      The issue occurs for all docker requests, whether it be for the manifest or the layers. This is due to caching being enabled only with requests that are based off a docker token. The docker client (or a smart remote repo with token based auth enabled) always goes to v2/token as a first request, upon every command (pull,push,etc) and then uses the retrieved token for all subsequent requests to artifactory for the same purpose (i.e all layers pulled by the same docker pull request).

      What is the expected behavior?
      -all docker API authentication requests are cached all the time

      Steps to reproduce:
      -enable ldap debug logs

      -try to resolve the manifest/layer via curl multiple times:  RESTRICTED_URL'S

      -notice in ldap debug logs that there is a cached key entry, yet it still reaches out to ldap. Behavior occurs for both internal and LDAP users

      2020-07-09 18:07:38,971 [http-nio-8081-exec-8] [DEBUG] (o.a.w.s.AccessFilter:329) - Cached key has been found for request: '/artifactory/api/docker/docker-local/v2/busybox/blobs/sha256:91f30d776fb27944b3febb64600db83a880fb4af3f55442f3ad5ee1a786295bf' with method: 'GET'
      2020-07-09 18:07:38,972 [http-nio-8081-exec-8] [DEBUG] (o.a.s.l.ArtifactoryLdapAuthenticationProvider:148) - Trying to authenticate user: 'admin' via ldap.
      2020-07-09 18:07:38,977 [http-nio-8081-exec-8] [DEBUG] (o.a.s.l.ArtifactoryBindAuthenticator:153) - Searching for user: '[ searchFilter: '(uid={0})', searchBase: 'ou=users', scope: subtree, searchTimeLimit: 0, derefLinkFlag: false ]' failed for admin: The user: 'admin' not found in directory.
      2020-07-09 18:07:38,977 [http-nio-8081-exec-8] [DEBUG] (o.a.s.l.ArtifactoryBindAuthenticator:170) - The user: 'admin' can't be found in LDAP search
      
      
      2020-07-09 18:08:17,172 [http-nio-8081-exec-4] [DEBUG] (o.a.w.s.AccessFilter:329) - Cached key has been found for request: '/artifactory/api/docker/docker-local/v2/busybox/blobs/sha256:91f30d776fb27944b3febb64600db83a880fb4af3f55442f3ad5ee1a786295bf' with method: 'GET'
      2020-07-09 18:08:17,174 [http-nio-8081-exec-4] [DEBUG] (o.a.s.l.ArtifactoryLdapAuthenticationProvider:148) - Trying to authenticate user: 'tuser' via ldap.
      2020-07-09 18:08:17,187 [http-nio-8081-exec-4] [DEBUG] (o.a.s.l.ArtifactoryBindAuthenticator:187) - Attempting to bind as cn=tuser,ou=users,dc=example,dc=org
      2020-07-09 18:08:17,188 [http-nio-8081-exec-4] [DEBUG] (o.s.s.l.DefaultSpringSecurityContextSource:100) - Removing pooling flag for user cn=tuser,ou=users,dc=example,dc=org
      2020-07-09 18:08:17,194 [http-nio-8081-exec-4] [DEBUG] (o.a.s.l.ArtifactoryBindAuthenticator:222) - Retrieving attributes...
      2020-07-09 18:08:17,196 [http-nio-8081-exec-4] [DEBUG] (o.a.s.l.ArtifactoryLdapAuthenticationProvider:185) - 'tuser' authenticated successfully by ldap server.
      
      

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned
              Reporter:
              mattheww Matthew Wang
              Votes:
              1 Vote for this issue
              Watchers:
              4 Start watching this issue

                Dates

                Created:
                Updated: