Anonymous Deploying? Settings.xml ignored?

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Anonymous Deploying? Settings.xml ignored?

dave_p
We seem to have two separate problems but I'm suspicious that they're related.

We have anonymous access enabled, which allow read-only access for unauthenticated users as well as deploy/cache permissions for -cache repositories. Additionally, we have a couple service accounts that different dev teams are supposed to use in their maven settings.xml files to deploy artifacts.

What's weird is that in the access.log file, I see a LOT of "ACCEPTED DEPLOY" lines for anonymous users at various IPs. Also, they're deploying into virtual repositories. (?) What's weirder, is that they're all for .pom files which are one or more weeks old - they've long since been deployed already. Are they being overwritten? How is anonymous able to deploy anything anyway? Especially to a virtual repo?

Secondly, there seem to be a number of users with credentials in their settings.xml files which, for whatever reason, are showing up as unauthenticated when they try to deploy a snapshot or release artifact. (They have their team account in their settings.xml file, and maven is recognizing it, but when the attempt to deploy shows up in the access.log, it shows "DENIED DEPLOY" and "for anonymous/IPA.DD.RE.SS")

Any thoughts on either of these issues would be appreciated.

Thanks,
Dave
Reply | Threaded
Open this post in threaded view
|

Re: [#34440] Anonymous Deploying? Settings.xml ignored?

JFrog Support
Hello Dave,

Thank you for contacting us.

From what you are describing, unauthenticated users have permission to deploy/cache. So what is probably occurring is that these unauthenticated users are using GET from the virtual repository → the GET request has dependencies which are not yet cached in Artifactory → Artifactory goes out to a remote endpoint to get these dependencies, which then creates a deployment, since caching files is the same as deploying files.

This of course can be avoided by disabling the deploy/cache permissions for unauthenticated users but would cause the expected issues of GET responses failing when dependencies are missing in the current local/remote cache repository.

Regarding users showing as unauthenticated when deploying jobs which their settings.xml is configured, would it be possible to share with us a settings.xml example? (with password encrypted) Please verify the configuration is set properly as explained our online wiki for working with Maven especially the setting up security section.

For reference, you can see projects which are ready for usage examples on our Github page, which can be found here.

Best regards,
Mor
JFrog Support
 


On Fri, 4 Dec at 8:20 PM , Dave Pierce <[hidden email]> wrote:
We seem to have two separate problems but I'm suspicious that they're
related.

We have anonymous access enabled, which allow read-only access for
unauthenticated users as well as deploy/cache permissions for -cache
repositories. Additionally, we have a couple service accounts that different
dev teams are supposed to use in their maven settings.xml files to deploy
artifacts.

What's weird is that in the access.log file, I see a LOT of "ACCEPTED
DEPLOY" lines for anonymous users at various IPs. Also, they're deploying
into virtual repositories. (?) What's weirder, is that they're all for .pom
files which are one or more weeks old - they've long since been deployed
already. Are they being overwritten? How is anonymous able to deploy
anything anyway? Especially to a virtual repo?

Secondly, there seem to be a number of users with credentials in their
settings.xml files which, for whatever reason, are showing up as
unauthenticated when they try to deploy a snapshot or release artifact.
(They have their team account in their settings.xml file, and maven is
recognizing it, but when the attempt to deploy shows up in the access.log,
it shows "DENIED DEPLOY" and "for anonymous/IPA.DD.RE.SS")

Any thoughts on either of these issues would be appreciated.

Thanks,
Dave



--
View this message in context: http://forums.jfrog.org/Anonymous-Deploying-Settings-xml-ignored-tp7580638.html
Sent from the Artifactory - Users mailing list archive at Nabble.com.

------------------------------------------------------------------------------
Go from Idea to Many App Stores Faster with Intel(R) XDK
Give your users amazing mobile app experiences with Intel(R) XDK.
Use one codebase in this all-in-one HTML5 development environment.
Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs.
http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140
_______________________________________________
Artifactory-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/artifactory-users
34440

------------------------------------------------------------------------------
Go from Idea to Many App Stores Faster with Intel(R) XDK
Give your users amazing mobile app experiences with Intel(R) XDK.
Use one codebase in this all-in-one HTML5 development environment.
Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs.
http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140
_______________________________________________
Artifactory-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/artifactory-users