To allow anonymous access to specific Artifacts/Images in the Repository, We use Artifactory Permission Targets to define unique permissions and allow access only to specific artifacts/images in the repository by using “Include Pattern”. Please find below the detailed steps in order to allow Anonymous access to the specific Artifacts/Images in the Repository:
Firstly, we have to “Allow Anonymous Access” to Artifactory to activate the anonymous user access to Artifactory. For Artifactory versions before 7.90.x (Classic UI navigation), navigate to Administration -> User Management -> Settings and For Artifactory versions starting from 7.90.x (New Platform UI navigation), navigate to Administration -> Platform Security -> General, and then enable the checkbox for ‘Allow Anonymous Access’. Attached below screenshot for reference.
Classic UI navigation:
New Platform UI navigation:
Note: This will enable Anonymous access on all Artifactory repositories. However, we will be controlling it using the permission targets.
Once after activating Anonymous access, we have to remove all default permissions defined in Artifactory to the User “Anonymous”.
To do, Navigate to Administration -> User Management -> Permissions. Then Edit the “Anything” and “Any Remote” permission targets to remove existing permission for user “Anonymous”. Attached below screenshot for reference.
Classic UI navigation:
New Platform UI navigation:
3. After removing default permissions, We need to create a New Permission target to set access to the specific Artifact/Image in the Repository to which you want to grant your anonymous user access. In the following example, we have a docker local repository(test-docker-local) and have few images(busybox, nginx) deployed in it. Now assume that we want to allow anonymous access only to busybox images.
4. In order to achieve this, I have created a permissions named as ‘allowAnonymousAccessToSpecificArtifacts’ and then under ‘Resources’ I have added ‘test-docker-local’ repository to the ‘allowAnonymousAccessToSpecificArtifacts’ permissions. Then, I have removed the default(**) include pattern and added ‘busybox/**’ include pattern in the repositories resources. This will allow access only to Busybox image which is present in the test-docker-local repository.
5. Then I have added the ‘Anonymous’ user with ‘read’ to ‘allowAnonymousAccessToSpecificArtifacts’ permissions under the Users tab.
Once after defining the permissions for a specific image, I performed a test by pulling the images(busybox & Nginx) present in ‘test-docker-local’ repository using an anonymous user. Below is the result of each test.
Test 1: Downloading ‘busybox’ image using anonymous user
Test 2: Downloading ‘nginx’ image using anonymous user
In the Test 1, we were able to successfully pull the ‘busybox’ image from ‘test-docker-local’ repository anonymously but from the same ‘test-docker-local’ repository on Test 2, the nginx was failed to pull due to permission issue which is because we only set ‘busybox’ in the ‘include pattern’ for anonymous user.