Support User Identity Extraction for Request Authorization

JFrog Artifactory Documentation

Products
JFrog Artifactory
Content Type
User Guide
ft:sourceType
Paligo

You will be able to use your client certificate to authenticate and authorize requests in the JFrog Platform, without the need to send additional credentials, as long as the client certificate embeds the user identity.

To enable user-based access for client authenticating with mTLS, you can have your certificate contain a username, and the JFrog Platform will only allow access to resources to which that user has permissions.

For example, your certificate's subject might look something like this, wherebySubject: C=IL, L=Netanya, O=Maldin, OU=DO, CN=myuser@ jfrog.com, and where the username you are after is "myuser" from the Subject's CN. In this case, you can set the system.yaml regexp to look something like this:

security:
  authentication:
    mtls: # Mutual-TLS authentication configuration
      enabled: true                        # if true then mTLS is enabled
      extraction-regex: [^@]+(?=\d{0,}@)   # regular expression used to extract the username from the certificate's subject CN

From Version 7.77.x

Set the access.config.latest.yml to look something like this:

# To change the configuration in an Access service, follow these instructions:
# 1. Find the value you want to update
# 2. Set the value in the access.config.latest.yml file under [$JFROG_HOME]/artifactory/var/etc/access
# 3. Change access.config.latest.yml to access.config.import.yml
# 4. Restart Access

security:
  authentication:
    mtls: # Mutual-TLS authentication configuration
      enabled: true                        # if true then mTLS is enabled
      extraction-regex: [^@]+(?=\d{0,}@)   # regular expression used to extract the username from the certificate's subject CN

You can also set your regular expression to be what ever you need, in order to parse the username as it is defined in the JFrog Platform from the subject’s CN attribute.