2

This question concerns a local NuGet repository in Artifactory Pro 4.14.2.

We use a service account named DevNetRunnerSvc to publish NuGet artifacts to Artifactory. This account is configured with Deploy/Cache permissions and is not configured with Delete/Overwrite permissions.

DevNetRunnerSvc's effective permissions to the repository in question

However, DevNetRunnerSvc is still able to overwrite artifacts in this repository:

Artifact demonstrating modification by DevNetRunnerSvc

I'd like some assistance in protecting artifacts from any and all overwrites (as is appropriate for a published NuGet package), or a determination that this is a bug that should be forwarded to JFrog.

Additional information:

  • The (lightly sanitized) command used to publish artifacts is jfrog rt upload $(Join-Path $env:CI_PROJECT_DIR "$($env:PACKAGE).$($env:VERSION).nupkg") nuget-org-dev/org/$($env:PACKAGE)/$($env:PACKAGE).$($env:VERSION)-$($env:CI_BUILD_REF_SLUG).nupkg
  • While debugging this issue, I've removed DevNetRunnerSvc from all Groups.
  • Removing the Deploy/Cache permission from DevNetRunnerSvcsuccessfully prevents it from publishing artifacts to this repository.

  • 'Promoting' a published artifact from this repository to another one is prevented appropriately:

    [Info] Moving artifact: nuget-org-dev/org/org.Infra.Pipeline/org.Infra.Pipeline.0.2.2-master.nupkg to: nuget-org/org/org.Infra.Pipeline/org.Infra.Pipeline.0.2.2.nupkg [Error] Artifactory response: 409 Conflict { "messages": [ { "level": "ERROR", "message": "User doesn't have permissions to move 'nuget-org-dev:org/org.Infra.Pipeline/org.Infra.Pipeline.0.2.2-master.nupkg'. Needs delete permissions." } ] }

  • The command used to execute the above is jfrog rt move "nuget-org-dev/(org)/($($env:PACKAGE))/($($env:PACKAGE).$($env:VERSION))-$($env:CI_BUILD_REF_SLUG)(.nupkg)" "nuget-org/{1}/{2}/{3}{4}"

  • I've added myself as a watcher to this repository. When DevNetRunnerSvc overwrites an artifact, I receive the following event notification: Thu Apr 13 12:25:34 EDT 2017 [devnetrunnersvc/10.228.128.23] [CREATED] nuget-org-dev/org/org.Infra.Pipeline/org.Infra.Pipeline.0.2.2-master.nupkg
Matt Alioto
  • 403
  • 2
  • 10
  • I'm not sure if I'm missing something but just to make sure, when you remove the "Delete/Overwrite" permissions you are unable to overwrite the artifact? If this is the case, I'm not sure what the issue here? it seems like a perfectly normal behaviour – Ariel Apr 16 '17 at 06:24
  • When I remove the delete/overwrite permission, I am still able to overwrite the artifact. To say the least this is not expected behavior! Deleting the artifact is blocked like you'd expect. Is there a way I can make the question clearer? Feel free to edit! – Matt Alioto Apr 16 '17 at 14:02

1 Answers1

1

Looks like it was a bug as mentioned in this Jira RTFACT-14442 which is fixed in the later versions. Also, the Artifactory version 4.14.2 has met its end of life and JFrog will not take any bugs for this version. I would highly recommend upgrading Artifactory to the latest versions which 6.23 or 7.10.

Muhammed Kashif
  • 1,421
  • 3
  • 6