Uploaded image for project: 'Artifactory Binary Repository'
  1. Artifactory Binary Repository
  2. RTFACT-22897

API Key auth doesn't trigger LDAP group sync when REALM isn't LDAP

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Done
    • Priority: 2 - Critical
    • Resolution: Done
    • Affects Version/s: 7.5.0, 6.20.0, 7.6.0, 6.20.1
    • Fix Version/s: 6.23.7, 7.12.5
    • Component/s: None
    • Labels:
    • Severity:
      Critical
    • Regression:
      Yes
    • Release Notes:
      Yes

      Description

      Environment description:
      1. LDAP is integrated. Groups are imported from LDAP and permissions are granted based on groups.
      2. SAML SSO is enabled for UI authentication, UI permissions are processed by the SyncLdapGroups plugin.

      Problem Description:
      API Key authentication results in 403, group permissions are not inherited.

       curl -uarielk:AKCp5fUDiPt9JPDVJPbpy3Dr8cP2rZJuivLKrk9UZtg4xYQkhJc7CdDvTqrWvRSDgzsc1sUQ3 http://localhost:8081/artifactory/generic-local/jfrog.conf -I                       
      
      HTTP/1.1 403 Forbidden
      Server: Artifactory/6.20.1
      X-Artifactory-Id: 3af65327c9258549:-158a6662:17365f8954c:-8000
      Content-Type: application/json;charset=ISO-8859-1
      Transfer-Encoding: chunked
      Date: Sun, 19 Jul 2020 07:50:23 GMT
      

      Prerequisites for reproduction:
      1. For better tracking the environment enabling these loggers can help:

          <logger name="org.artifactory.security">
              <level value="trace"/>
          </logger>
          <logger name="org.artifactory.addon.ldap">
              <level value="debug"/>
          </logger>
          <logger name="org.artifactory.webapp.servlet.AuthenticationCacheServiceImpl">
              <level value="debug"/>
          </logger>
      

      2. Add the below to artifactory.system.properties to reduce the cache time, so it's easier to reproduce:

      artifactory.security.authentication.cache.idleTimeSecs=60
      

      Steps to reproduce:
      1. Setup Artifactory 6.20.1.
      2. Integrate with an LDAP. This script can be used for quick LDAP setup.
      3. Make sure to note a specific user and a group he is a member of.
      4. Integrate Artifactory with SAML SSO. I used OKTA. Create the user noted from step #3 and make sure it exists in SAML.
      5. Add the syncLdapGrpups plugin with the LDAP Group setting you have configured.
      6. In Artifactory, create the default "Docker" & "Generic" repositories via "Quick Setup".
      7. Modify the permissions, so "docker-local" is accessible for the noted user, but for the "generic-local" repository to be accessible via the group the noted user is a member of.
      "docker-local" - global permission
      "generic-local" - specific permission of the LDAP group needed.
      8. Login to Artifactory with the noted user via SAML SSO. Obtain an API key.
      10. Login to Artifactory using an admin, confirm the noted user is of REALM SAML and the UI doesn't show he's a member of the LDAP groups.
      11. Perform the below with the user and the obtained API key:

      curl -uUSER:APIKEY localhost:8081/artifactory/api/docker/docker-local/v2/token
      

      Note this in Artifactory log:

      2020-07-19 11:26:45,567 [http-nio-8081-exec-9] [DEBUG] (o.a.w.s.AuthenticationCacheServiceImpl:138) - Added authentication org.artifactory.security.providermgr.TokenProviderResponseAuthentication@7066a023: Principal: arielk; Credentials: [PROTECTED]; Authenticated: true; Details: null; Granted Authorities: user to cache.
      

      12. Quickly(as we changed the cache to 1 min) run the below:

      curl -uUSER:APIKEY http://localhost:8081/artifactory/generic-local/jfrog.conf -I
      
      HTTP/1.1 403 Forbidden
      Server: Artifactory/6.20.1
      X-Artifactory-Id: df9a061892d2a024:2b89f2d8:173662231ce:-8000
      Content-Type: application/json;charset=ISO-8859-1
      Transfer-Encoding: chunked
      Date: Sun, 19 Jul 2020 08:27:23 GMT
      

      This fails while it should work. Using the LDAP password works well:

       curl -uarielk:password http://localhost:8081/artifactory/generic-local/jfrog.conf -I
      
      HTTP/1.1 200 OK
      Server: Artifactory/6.20.1
      X-Artifactory-Id: df9a061892d2a024:2b89f2d8:173662231ce:-8000
      Last-Modified: Wed, 15 Jul 2020 23:09:27 GMT
      ETag: f2e945d34a97ec070a50c350593560a088e6f1d9
      X-Checksum-Sha1: f2e945d34a97ec070a50c350593560a088e6f1d9
      X-Checksum-Sha256: aceb903be0dc9121d8b960ecef54a12dd674db179da17c9d7c575f93416a3ff4
      X-Checksum-Md5: 69babdc8b6e683492af10bbe21f036b3
      Accept-Ranges: bytes
      X-Artifactory-Filename: jfrog.conf
      Content-Disposition: attachment; filename="jfrog.conf"; filename*=UTF-8''jfrog.conf
      Content-Type: application/octet-stream
      Content-Length: 4671
      Date: Sun, 19 Jul 2020 08:28:11 GMT
      

      Once the cache (which we set to 1 min) is expired, if the first request is not to the api/docker/docker-repo/v2/token endpoint, this will work well.

      Workaround:
      Disabling the authentication cache for tokens which was added in 6.20 seems to resolve the issue. This can be done by setting:

      artifactory.security.authentication.cache.for.token.enabled=false
      

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              alexeiv Alexei Vainshtein
              Reporter:
              arielk Ariel Kabov
              Votes:
              1 Vote for this issue
              Watchers:
              4 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Sync Status

                  Connection: RTFACT Sync
                  RTMID-22897 -
                  SYNCHRONIZED
                  • Last Sync Date: