Uploaded image for project: 'Artifactory Binary Repository'
  1. Artifactory Binary Repository
  2. RTFACT-22897

API Key auth doesn't trigger LDAP group sync when REALM isn't LDAP

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Done
    • Priority: 2 - Critical
    • Resolution: Done
    • Affects Version/s: 7.5.0, 6.20.0, 7.6.0, 6.20.1
    • Fix Version/s: 6.23.7, 7.12.5
    • Component/s: None
    • Labels:
    • Severity:
      Critical
    • Regression:
      Yes
    • Release Notes:
      Yes

      Description

      Environment description:
      1. LDAP is integrated. Groups are imported from LDAP and permissions are granted based on groups.
      2. SAML SSO is enabled for UI authentication, UI permissions are processed by the SyncLdapGroups plugin.

      Problem Description:
      API Key authentication results in 403, group permissions are not inherited.

       curl -uarielk:AKCp5fUDiPt9JPDVJPbpy3Dr8cP2rZJuivLKrk9UZtg4xYQkhJc7CdDvTqrWvRSDgzsc1sUQ3 http://localhost:8081/artifactory/generic-local/jfrog.conf -I                       

HTTP/1.1 403 Forbidden
Server: Artifactory/6.20.1
X-Artifactory-Id: 3af65327c9258549:-158a6662:17365f8954c:-8000
Content-Type: application/json;charset=ISO-8859-1
Transfer-Encoding: chunked
Date: Sun, 19 Jul 2020 07:50:23 GMT

      Prerequisites for reproduction:
      1. For better tracking the environment enabling these loggers can help:

          <logger name="org.artifactory.security">
        <level value="trace"/>
    </logger>
    <logger name="org.artifactory.addon.ldap">
        <level value="debug"/>
    </logger>
    <logger name="org.artifactory.webapp.servlet.AuthenticationCacheServiceImpl">
        <level value="debug"/>
    </logger>

      2. Add the below to artifactory.system.properties to reduce the cache time, so it's easier to reproduce:

      artifactory.security.authentication.cache.idleTimeSecs=60

      Steps to reproduce:
      1. Setup Artifactory 6.20.1.
      2. Integrate with an LDAP. This script can be used for quick LDAP setup.
      3. Make sure to note a specific user and a group he is a member of.
      4. Integrate Artifactory with SAML SSO. I used OKTA. Create the user noted from step #3 and make sure it exists in SAML.
      5. Add the syncLdapGrpups plugin with the LDAP Group setting you have configured.
      6. In Artifactory, create the default "Docker" & "Generic" repositories via "Quick Setup".
      7. Modify the permissions, so "docker-local" is accessible for the noted user, but for the "generic-local" repository to be accessible via the group the noted user is a member of.
      "docker-local" - global permission
      "generic-local" - specific permission of the LDAP group needed.
      8. Login to Artifactory with the noted user via SAML SSO. Obtain an API key.
      10. Login to Artifactory using an admin, confirm the noted user is of REALM SAML and the UI doesn't show he's a member of the LDAP groups.
      11. Perform the below with the user and the obtained API key:

      curl -uUSER:APIKEY localhost:8081/artifactory/api/docker/docker-local/v2/token

      Note this in Artifactory log:

      2020-07-19 11:26:45,567 [http-nio-8081-exec-9] [DEBUG] (o.a.w.s.AuthenticationCacheServiceImpl:138) - Added authentication org.artifactory.security.providermgr.TokenProviderResponseAuthentication@7066a023: Principal: arielk; Credentials: [PROTECTED]; Authenticated: true; Details: null; Granted Authorities: user to cache.

      12. Quickly(as we changed the cache to 1 min) run the below:

      curl -uUSER:APIKEY http://localhost:8081/artifactory/generic-local/jfrog.conf -I

HTTP/1.1 403 Forbidden
Server: Artifactory/6.20.1
X-Artifactory-Id: df9a061892d2a024:2b89f2d8:173662231ce:-8000
Content-Type: application/json;charset=ISO-8859-1
Transfer-Encoding: chunked
Date: Sun, 19 Jul 2020 08:27:23 GMT

      This fails while it should work. Using the LDAP password works well:

       curl -uarielk:password http://localhost:8081/artifactory/generic-local/jfrog.conf -I

HTTP/1.1 200 OK
Server: Artifactory/6.20.1
X-Artifactory-Id: df9a061892d2a024:2b89f2d8:173662231ce:-8000
Last-Modified: Wed, 15 Jul 2020 23:09:27 GMT
ETag: f2e945d34a97ec070a50c350593560a088e6f1d9
X-Checksum-Sha1: f2e945d34a97ec070a50c350593560a088e6f1d9
X-Checksum-Sha256: aceb903be0dc9121d8b960ecef54a12dd674db179da17c9d7c575f93416a3ff4
X-Checksum-Md5: 69babdc8b6e683492af10bbe21f036b3
Accept-Ranges: bytes
X-Artifactory-Filename: jfrog.conf
Content-Disposition: attachment; filename="jfrog.conf"; filename*=UTF-8''jfrog.conf
Content-Type: application/octet-stream
Content-Length: 4671
Date: Sun, 19 Jul 2020 08:28:11 GMT

      Once the cache (which we set to 1 min) is expired, if the first request is not to the api/docker/docker-repo/v2/token endpoint, this will work well.

      Workaround:
      Disabling the authentication cache for tokens which was added in 6.20 seems to resolve the issue. This can be done by setting:

      artifactory.security.authentication.cache.for.token.enabled=false

        Attachments

          Issue Links

          was triggered by

          Bug - A problem which impairs or prevents the functions of the product RTFACT-20911 Docker and Conan login doesn't respect Non-UI cache

          • 3 - High - Impacts behavior significantly with no easy workaround provided
          • Done

            Activity

                People

                Assignee:
                alexeiv Alexei Vainshtein
                Reporter:
                arielk Ariel Kabov
                Votes:
                1 Vote for this issue
                Watchers:
                4 Start watching this issue

                  Dates

                  Created:
                  Updated:
                  Resolved:

                    Sync Status

                    Connection: RTFACT Sync
                    RTMID-22897 -
                    SYNCHRONIZED
                    • Last Sync Date: