Uploaded image for project: 'Artifactory Binary Repository'
  1. Artifactory Binary Repository
  2. RTFACT-26079

Resolution issues with NPM virtual repository when anonymous user doesn't have permissions to one of the aggregated repository



    • Type: Bug
    • Status: Done
    • Resolution: Done
    • Affects Version/s: 6.23.21
    • Fix Version/s: None
    • Component/s: permissions
    • Labels:


      Issue description: We are receiving 403 errors while retrieving NPM packages from a virtual repository when the anonymous user doesn't have permissions to one of the aggregated repository(which is a smart remote).

      What is the impact to the customer:
      They have issues resolving anonymously from virtual repos

      Environment tested:

      Artifactory v7.19.9 and 6.23.21, Standalone and HA, On prem

      Steps to reproduce:

      1. Created an NPM smart remote repository by configuring to another Artifactory instance.
      2. Create another NPM remote repository that is configured to the default NPM registry.
      3. Now, added all these remote repositories to an NPM virtual repository. (smart remote repository is at the top)
      4. Make sure the anonymous user does not have permissions to the smart remote repository, however it has access to the default remote repository.
      5. Configured NPM client to the virtual repository(without npm login) and tried installing NPM packages. I observed a 403 error while installing NPM packages. Please note I have tried with both scoped and normal NPM packages the behavior is still the same.

      I have recorded the complete replication steps, please find the video link here.

      I have also, tested behavior which might help:

      Scenario1: Changed the repository order in the virtual repository by configuring the default remote repository first followed by a smart remote repository which is working as expected.

      Scenario2: Excluded the smart remote repository from the virtual repository, by having the local repository(anonymous user does not have permissions to this) and remote repository alone in this scenario NPM install got succeeded.

      Scenario3: As we are facing the issue with an anonymous user, I have created a test user, provided permissions to the remote repository alone, and then installed NPM packages with this user which is working as expected. This issue is replicated only when tried with the anonymous user.


      Expected behavior: Anonymous user should be able to retrieve the packages from the other remote repository even though if he doesn't have permission to one of the aggregated repository(which is a smart remote).


          Issue Links



                pavang Pavan Gonugunta
                1 Vote for this issue
                2 Start watching this issue