You will be able to use your client certificate to authenticate and authorize requests in the JFrog Platform, without the need to send additional credentials, as long as the client certificate embeds the user identity.
To enable user-based access for client authenticating with mTLS, you can have your certificate contain a username, and the JFrog Platform will only allow access to resources to which that user has permissions.
For example, your certificate's subject might look something like this, wherebySubject: C=IL, L=Netanya, O=Maldin, OU=DO, CN=myuser@ jfrog.com, and where the username you are after is "myuser" from the Subject's CN. In this case, you can set the system.yaml regexp
to look something like this:
security: authentication: mtls: # Mutual-TLS authentication configuration enabled: true # if true then mTLS is enabled extraction-regex: [^@]+(?=\d{0,}@) # regular expression used to extract the username from the certificate's subject CN
From Version 7.77.x
Set the access.config.latest.yml
to look something like this:
# To change the configuration in an Access service, follow these instructions: # 1. Find the value you want to update # 2. Set the value in the access.config.latest.yml file under [$JFROG_HOME]/artifactory/var/etc/access # 3. Change access.config.latest.yml to access.config.import.yml # 4. Restart Access security: authentication: mtls: # Mutual-TLS authentication configuration enabled: true # if true then mTLS is enabled extraction-regex: [^@]+(?=\d{0,}@) # regular expression used to extract the username from the certificate's subject CN
You can also set your regular expression to be what ever you need, in order to parse the username as it is defined in the JFrog Platform from the subject’s CN attribute.