-
Type:
Bug
-
Status: Closed
-
Resolution: Deferred
-
Affects Version/s: 7.31.0
-
Fix Version/s: None
-
Component/s: Docker
-
Labels:None
-
Environment:
Ubuntu 20.04 LTS
Debian installation of Artifactory 7.31.13
Subdomain method via Nginx reverse proxy
-
Location:External
Problem description:
Updating the Java Keystore password via the UI results in previously working Docker tokens to fail. This will cause a spike of 401 errors in the logs, the Docker client itself will request an updated token.
Additional actions involving the keystore, mainly updating certificates from the Admin -> Security -> Certificates menu, also causes all tokens to be invalidated. This additional behavior only happens when an external JDK is used.
An external JDK has more problems than the bundled JDK, but this bug happens for both types using the steps described in this JIRA.
What is the expected behavior?
Previously working tokens should continue to work until they expire. If invalidation due to the change is expected, there should be a warning popup about the behavior.
Steps to reproduce:
1] Get a Docker API token via curl
curl -u admin:password docker.art.local/v2/token
*
{"token":"AKC[...]s","expires_in":3600}*
2] Test it via a manifest.json pull, get a 200 OK
curl -H"Authorization: Bearer AKC[...]" -o /dev/null docker.art.local/v2/library/nginx/manifests/latest
3] Update the Keystore password via the UI. Go to Admin -> Artifactory -> Security -> Keys Management -> Java Keystore.
4] After clicking "Update" recheck the same token using curl, note that it stops working and produces a 401 Forbidden
curl -H"Authorization: Bearer AKC[...]" -o /dev/null docker.art.local/v2/library/nginx/manifests/latest
Behind the scenes, Artifactory is checking to see if there is a user attached to the token, there is a 404 Not Found on a user lookup for AKC[...].
[access-service.log]
2022-01-28T20:44:08.416Z|65772edc163401ee|127.0.0.1|jfrt@01frv0wdn1e5k502f0vhaq0mgv|GET|/access/api/v1/users/AKC[...]JB| 404 |160|-1|2|JFrog Access Java Client/7.33.5 73305900 Artifactory/7.31.13 73113900
Environment details:
Artifactory version which the bug was reproduced on: 7.31.13
DB type & Version: Postgres 12.9
Is this an HA env? Reproduced in both HA and standalone
Is this On-Prem or SaaS? On-Prem
OS details if relevant: Not relevant, Ubuntu 20.04
Installation type: Debian installation
Possible workaround:
Normal Docker clients experience invalid tokens routinely, they just request a new, updated token. This bug results in all tokens to expire at once, but the clients themselves should be able to recover.
Third-party clients and manual token use will be impacted by this bug, until they request new tokens.