Environment description:
1. LDAP is integrated. Groups are imported from LDAP and permissions are granted based on groups.
2. SAML SSO is enabled for UI authentication, UI permissions are processed by the SyncLdapGroups plugin.
Problem Description:
API Key authentication results in 403, group permissions are not inherited.
curl -uarielk:AKCp5fUDiPt9JPDVJPbpy3Dr8cP2rZJuivLKrk9UZtg4xYQkhJc7CdDvTqrWvRSDgzsc1sUQ3 http://localhost:8081/artifactory/generic-local/jfrog.conf -I
HTTP/1.1 403 Forbidden
Server: Artifactory/6.20.1
X-Artifactory-Id: 3af65327c9258549:-158a6662:17365f8954c:-8000
Content-Type: application/json;charset=ISO-8859-1
Transfer-Encoding: chunked
Date: Sun, 19 Jul 2020 07:50:23 GMT
Prerequisites for reproduction:
1. For better tracking the environment enabling these loggers can help:
<logger name="org.artifactory.security"> <level value="trace"/> </logger> <logger name="org.artifactory.addon.ldap"> <level value="debug"/> </logger> <logger name="org.artifactory.webapp.servlet.AuthenticationCacheServiceImpl"> <level value="debug"/> </logger>
2. Add the below to artifactory.system.properties to reduce the cache time, so it's easier to reproduce:
artifactory.security.authentication.cache.idleTimeSecs=60
Steps to reproduce:
1. Setup Artifactory 6.20.1.
2. Integrate with an LDAP. This script can be used for quick LDAP setup.
3. Make sure to note a specific user and a group he is a member of.
4. Integrate Artifactory with SAML SSO. I used OKTA. Create the user noted from step #3 and make sure it exists in SAML.
5. Add the syncLdapGrpups plugin with the LDAP Group setting you have configured.
6. In Artifactory, create the default "Docker" & "Generic" repositories via "Quick Setup".
7. Modify the permissions, so "docker-local" is accessible for the noted user, but for the "generic-local" repository to be accessible via the group the noted user is a member of.
"docker-local" - global permission
"generic-local" - specific permission of the LDAP group needed.
8. Login to Artifactory with the noted user via SAML SSO. Obtain an API key.
10. Login to Artifactory using an admin, confirm the noted user is of REALM SAML and the UI doesn't show he's a member of the LDAP groups.
11. Perform the below with the user and the obtained API key:
curl -uUSER:APIKEY localhost:8081/artifactory/api/docker/docker-local/v2/token
Note this in Artifactory log:
2020-07-19 11:26:45,567 [http-nio-8081-exec-9] [DEBUG] (o.a.w.s.AuthenticationCacheServiceImpl:138) - Added authentication org.artifactory.security.providermgr.TokenProviderResponseAuthentication@7066a023: Principal: arielk; Credentials: [PROTECTED]; Authenticated: true; Details: null; Granted Authorities: user to cache.
12. Quickly(as we changed the cache to 1 min) run the below:
curl -uUSER:APIKEY http://localhost:8081/artifactory/generic-local/jfrog.conf -I
HTTP/1.1 403 Forbidden
Server: Artifactory/6.20.1
X-Artifactory-Id: df9a061892d2a024:2b89f2d8:173662231ce:-8000
Content-Type: application/json;charset=ISO-8859-1
Transfer-Encoding: chunked
Date: Sun, 19 Jul 2020 08:27:23 GMT
This fails while it should work. Using the LDAP password works well:
curl -uarielk:password http://localhost:8081/artifactory/generic-local/jfrog.conf -I HTTP/1.1 200 OK Server: Artifactory/6.20.1 X-Artifactory-Id: df9a061892d2a024:2b89f2d8:173662231ce:-8000 Last-Modified: Wed, 15 Jul 2020 23:09:27 GMT ETag: f2e945d34a97ec070a50c350593560a088e6f1d9 X-Checksum-Sha1: f2e945d34a97ec070a50c350593560a088e6f1d9 X-Checksum-Sha256: aceb903be0dc9121d8b960ecef54a12dd674db179da17c9d7c575f93416a3ff4 X-Checksum-Md5: 69babdc8b6e683492af10bbe21f036b3 Accept-Ranges: bytes X-Artifactory-Filename: jfrog.conf Content-Disposition: attachment; filename="jfrog.conf"; filename*=UTF-8''jfrog.conf Content-Type: application/octet-stream Content-Length: 4671 Date: Sun, 19 Jul 2020 08:28:11 GMT
Once the cache (which we set to 1 min) is expired, if the first request is not to the api/docker/docker-repo/v2/token endpoint, this will work well.
Workaround:
Disabling the authentication cache for tokens which was added in 6.20 seems to resolve the issue. This can be done by setting:
artifactory.security.authentication.cache.for.token.enabled=false
- was triggered by
-
RTFACT-20911 Docker and Conan login doesn't respect Non-UI cache
- Done