User anonymous is not permitted to deploy package.json

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

User anonymous is not permitted to deploy package.json

kallenchen
Hi,

I have a npm remote registry set in artifactory with anonymous users have "Read" permission and admin users have "Depoly", "Annotate" and "Read" permission.

After the admin user do a npm install, npm packages are deployed to my npm registry. But when the anonymous user try to install the package that is already cached in my npm registry, artifactory run into:

[ERROR] (o.a.a.n.r.NpmRemoteRepoHandler:289) - Error occurred while parsing the response of a remote npm JSON query on 'http://registry.npmjs.org': User anonymous is not permitted to deploy '.npm/gulp-filter/package.json' into 'npmjs-cache:.npm/gulp-filter/package.json'.

This error will be off if the admin user do a npm update, but it will appear again after a while (usually a day or two). I thought maybe npm tries deploying to artifactory when it finds an update to the package, so I tried "npm install <package>@<version number>" but got same error.

Why does anonymous user need deploy permission to read a package that has already been cached in registry? I have read about this thread: http://forums.jfrog.org/User-anonymous-is-not-permitted-to-deploy-into-repo1-cache-td3832350.html I understand deploy permission is required when a package is not cached, but this doesn't explain my issue.

Thank you!
Reply | Threaded
Open this post in threaded view
|

Re: User anonymous is not permitted to deploy package.json

shayb
Metadata files (such as the package.json file) are considered as expirable files. Expirable files are updated from the remote server based on the 'Retrieval Cache Period (Secs)' configuration and the trigger for the update is a new request from a client to the remote repository.

In your case, it seems like a user (admin) tried to install a specific package (gulp-filter), which caused Artifactory to download and cache the pacakge.json and the actual package file into the remote-cache, and then, return it to the user. When another user tries to download the same 'gulp-filter' from the remote repository, Artifactory will return it to the user from the cache unless if the 'Retrieval Cache Period' duration (which is 12 hours by default) ended already. If it ended, and a user is trying to install the package, Artifactory will go (on behalf of the user that requested the package, anonymous in your case) and check if there is a newer package.json on the remote server. If there is, it will try to cache it on behalf of the user that requested it. Now, if the anonymous user has not enough permission for that (which seems to be the case from the error snippet that you have attached), Artifactory will fail to cache it and the install command will fail as well.

To overcome this, you can either define proper permissions for the anonymous user so it will be able to cache the newer metadata files, or ensure that your users runs the install command with an authenticated user that has proper permissions.

As a side node, you might be interested to know that the retrieval cache period can be configured to a different value than 12 hours. 

Hope that helps,
Shayb.




On Wed, May 27, 2015 at 9:31 PM, kallenchen [via Artifactory] <[hidden email]> wrote:
Hi,

I have a npm remote registry set in artifactory with anonymous users have "Read" permission and admin users have "Depoly", "Annotate" and "Read" permission.

After the admin user do a npm install, npm packages are deployed to my npm registry. But when the anonymous user try to install the package that is already cached in my npm registry, artifactory run into:

[ERROR] (o.a.a.n.r.NpmRemoteRepoHandler:289) - Error occurred while parsing the response of a remote npm JSON query on 'http://registry.npmjs.org': User anonymous is not permitted to deploy '.npm/gulp-filter/package.json' into 'npmjs-cache:.npm/gulp-filter/package.json'.

This error will be off if the admin user do a npm update, but it will appear again after a while (usually a day or two). I thought maybe npm tries deploying to artifactory when it finds an update to the package, so I tried "npm install <package>@<version number>" but got same error.

Why does anonymous user need deploy permission to read a package that has already been cached in registry? I have read about this thread: http://forums.jfrog.org/User-anonymous-is-not-permitted-to-deploy-into-repo1-cache-td3832350.html I understand deploy permission is required when a package is not cached, but this doesn't explain my issue.

Thank you!


If you reply to this email, your message will be added to the discussion below:
http://forums.jfrog.org/User-anonymous-is-not-permitted-to-deploy-package-json-tp7580313.html
To start a new topic under Artifactory - Users, email [hidden email]
To unsubscribe from Artifactory, click here.
NAML

Reply | Threaded
Open this post in threaded view
|

Re: User anonymous is not permitted to deploy package.json

kallenchen
Thank you!