[RTFACT-4398] Add access control to builds Created: 08/Sep/11  Updated: 27/Dec/18  Resolved: 20/Dec/18

Status: Resolved
Project: Artifactory Binary Repository
Component/s: Build Server Integration, Security
Affects Version/s: 4.2.2
Fix Version/s: 6.6.0

Type: New Feature Priority: Normal
Reporter: Fred Simon Assignee: Yuval Reches
Resolution: Fixed Votes: 21
Labels: None

Issue Links:
Dependency
is a precondition for RTFACT-6340 Do not display Builds to Anonymous users Resolved
Duplicate
is duplicated by RTFACT-16394 Users able to publish build informati... Resolved
is duplicated by RTFACT-15976 The "read" permission doesn't apply t... Resolved
Relationship
relates to RTFACT-10699 Allow non-admin users access to build... Open
relates to RTFACT-15976 The "read" permission doesn't apply t... Resolved
is related to RTFACT-12705 Permissions model for build info tab ... Resolved

 Description   

Allow definition of special permission targets for build elements.



 Comments   
Comment by malcolm arnold [ 18/Nov/14 ]

Can also have access control for "Change License" button on "Licence" tab please. I want people to be able to read which licences are used by which dependencies, but not be able to modify.

Comment by Simon Eickel [ 19/Nov/15 ]

any update on this?

Comment by Felix Herzog [ 13/Apr/16 ]

I like to push this one please. I want to explain here why:
We have one central big artifactory. Hosting many Repositories for many projects we develop for our different customers. We are going to offer an external central artifactory for different projects and thus different customers. We need to be able to provide informations and data explicitely only for that project members. We have to avoid that different customers can get information of projects from any other customer (project). Currently you can define access to data and information on repository base. Sadly you can see a lot of information also inside the builds view.

afaik Artifactory here are my ideas for solutions:

  • make it possible to define a "Project" in Artifactory instead of permission targets based on repositories. this means you maybe have a screen whewre you define the relevant repositories (including locals ,remotes and virtual repositories, the permissions of users/groups and give a "project name" as well (for us ideal) as a unique project-key. By this you will be able to cluster the "builds" screen by projects and so logged in people only see the builds and informations of the "project" they are permitted to.
  • or: give artifactory the intelligence that it uses the oinformation in the builds which repositories are used in this build and thus which permission target(s) is/are relevant for this build screen. And so ONLY Accounts that have at least read permission on all of the relevant repositories of the build will be able to SEE the "build Project". This might be a bit hacky but maybe can be done quickier

Regards,
Felix

Comment by Piyush Singhal [ 14/May/16 ]

I would want to push it as well
My Artifactory System has strict permissions set in terms of who can view and download artifacts.My authentication scheme is my corporate AD and so any person who has valid corporate AD will be able to login. By Default a non defined account does not even have read permissions but with access to Build tab the whole security context goes for the toss. To me it does not even sound like a feature request, instead it should be taken as a bug

Regards
Piyush

Comment by Marek Cwynar [ 05/Aug/16 ]

I work in enterprise where are several groups of internal developers . In addition some external developers provide artifacts to that repository. In enterprise environment that feature is "must have"

Comment by Dimitar Sakarov [ 19/Oct/16 ]

Same for us. We will use an empty repository as a workaround, but we lost quite some time figuring out this issue and we are not happy with the way it currently works.

Comment by Nikolas Falco [ 07/Dec/17 ]

Same for us, we have client that access and should not see all our builds (because could see competitors).

@dimitar.sakarov I do not understand the your workaround.

Comment by Dimitar Sakarov [ 14/Dec/17 ]

Nikolas, the workaround requires write/full access for at least one repository in order to be able to access the build info.

That's why we've created an empty repository, in our case named "dummy-admin-build-info-workaround".
Then in the permissions management we've added a new "build-info-access" entry, giving full access to the dummy repository for everyone.

This enabled the access to the build info of the other regular repositories as well.

Comment by Yuval Reches [ 20/Dec/18 ]

Resolved as part of Artifactory 6.6.0 release with Build permissions.
See Release notes

Comment by Nikolas Falco [ 27/Dec/18 ]

Dimitar Sakarov the workaround does not work as we need (and is not a workaround for the ticket) because give access to build info to anyone has access to at least one repo.

 

Yuval Reches I will ask to our IT to update to see how it works. Thank you.

Generated at Sun Oct 20 11:13:54 UTC 2019 using JIRA 7.6.16#76018-sha1:9ed376192612a49536ac834c64177a0fed6290f5.