Uploaded image for project: 'Artifactory Binary Repository'
  1. Artifactory Binary Repository
  2. RTFACT-26744

Updating Java Keystore in the UI invalidates all Docker tokens

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Resolution: Deferred
    • Affects Version/s: 7.31.0
    • Fix Version/s: None
    • Component/s: Docker
    • Labels:
      None
    • Environment:

      Ubuntu 20.04 LTS 

        Debian installation of Artifactory 7.31.13

        Subdomain method via Nginx reverse proxy

    • Location:
      External

      Description

      Problem description: 

      Updating the Java Keystore password via the UI results in previously working Docker tokens to fail. This will cause a spike of 401 errors in the logs, the Docker client itself will request an updated token.

      Additional actions involving the keystore, mainly updating certificates from the Admin -> Security -> Certificates menu, also causes all tokens to be invalidated. This additional behavior only happens when an external JDK is used. 

      An external JDK has more problems than the bundled JDK, but this bug happens for both types using the steps described in this JIRA.

      What is the expected behavior? 

      Previously working tokens should continue to work until they expire. If invalidation due to the change is expected, there should be a warning popup about the behavior.

      Steps to reproduce:

      1] Get a Docker API token via curl

      curl -u admin:password docker.art.local/v2/token

      *

      {"token":"AKC[...]s","expires_in":3600}

      *

      2] Test it via a manifest.json pull, get a 200 OK

      curl -H"Authorization: Bearer AKC[...]" -o /dev/null docker.art.local/v2/library/nginx/manifests/latest

      3] Update the Keystore password via the UI. Go to Admin -> Artifactory -> Security -> Keys Management -> Java Keystore.

      4] After clicking "Update" recheck the same token using curl, note that it stops working and produces a 401 Forbidden

      curl -H"Authorization: Bearer AKC[...]" -o /dev/null docker.art.local/v2/library/nginx/manifests/latest

      Behind the scenes, Artifactory is checking to see if there is a user attached to the token, there is a 404 Not Found on a user lookup for AKC[...].

      [access-service.log]

      2022-01-28T20:44:08.416Z|65772edc163401ee|127.0.0.1|jfrt@01frv0wdn1e5k502f0vhaq0mgv|GET|/access/api/v1/users/AKC[...]JB| 404 |160|-1|2|JFrog Access Java Client/7.33.5 73305900 Artifactory/7.31.13 73113900

       

      Environment details:
         Artifactory version which the bug was reproduced on: 7.31.13

         DB type & Version: Postgres 12.9
         Is this an HA env? Reproduced in both HA and standalone
         Is this On-Prem or SaaS? On-Prem
         OS details if relevant: Not relevant, Ubuntu 20.04
         Installation type: Debian installation
         
      Possible workaround:

      Normal Docker clients experience invalid tokens routinely, they just request a new, updated token. This bug results in all tokens to expire at once, but the clients themselves should be able to recover.

      Third-party clients and manual token use will be impacted by this bug, until they request new tokens.

        Attachments

          Activity

              People

              Assignee:
              Unassigned
              Reporter:
              patrickr Patrick Russell
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Sync Status

                  Connection: RTFACT Sync
                  RTMID-26754 -
                  SYNCHRONIZED
                  • Last Sync Date: