You can set up a JFrog Platform environment quickly using bootstrap YAML files. You can use the Artifactory bootstrap YAML file to set up the environment and create repositories and create an Access bootstrap YAML file to set the access configurations for access provider authentication.
Note
The Access Bootstrap YAML file is available from Artifactory version 7.63 and later. The information in this YAML file can be retrieved using the Export Access Configuration REST API.Export Access Configuration
Location and Usage of Access Bootstrap YAML File
Create a YAML file with the name, access.security.bootstrap.yml
, and place it under $JFROG_HOME/artifactory/var/etc/access/
and restart the services so that the configuration in the YAML file is loaded in the system.
Warning
If there are existing configurations with same name in the system, the configurations in the YAML file overwrite the current configuration.
The following snippet shows an example of the YAML configuration file template.
security: #Security configuration (LDAP, SAML, Password Policy,...) httpSsoSettings: #HTTP SSO configuration httpSsoProxied: false #When set, Artifactory trusts incoming requests and reuses the remote user originally set on the request by the SSO of the HTTP server remoteUserRequestVariable: remoter11 #The name of the HTTP request variable to use for extracting the user identity. Default is: REMOTE_USER allowUserToAccessProfile: false #When set, users created after authenticating using HTTP SSO, will be able to access their profile. This means they are able to generate their API Key and set their password for future use noAutoUserCreation: false #When set to true, authenticated users will not be automatically created inside Artifactory. Instead, for every request from a Crowd / JIRA user, the user is temporarily associated with default groups (if such groups are defined), and the permissions for these groups applies ldapSettings: #LDAP server(s) settings ldap1: #The unique ID of the LDAP setting emailAttribute: email1 #An attribute that can be used to map a user's email to a user created automatically by Artifactory ldapPoisoningProtection: true #When set to true (recommended), Artifactory will protect against LDAP poisoning by filtering out users exposed to vulnerability ldapUrl: ldap://myserver:myport/dc=sampledomain,dc=com #Location of the LDAP server in the following format: ldap://myserver:myport/dc=sampledomain,dc=com. The URL should include the base DN used to search for and/or authenticate users search: managerDn: manager1 #The full DN of a user with permissions that allow querying the LDAP server. When working with LDAP Groups, the user should have permissions for any extra group attributes such as memberOf managerPassword: managerpass1 #The password of the user binding to the LDAP server when using "search" authentication searchBase: searchbase1 #The Context name in which to search relative to the base DN in the LDAP URL. Multiple search bases may be specified separated by a pipe ( | ). This is parameter is optional searchFilter: searchfilter1 #A filter expression used to search for the user DN that is used in LDAP authentication. Possible examples are: uid={0}) - this would search for a username match on the uid attribute. Authentication using LDAP is performed from the DN found if successful searchSubTree: true #When set, enables deep search through the sub-tree of the LDAP URL + Search Base userDnPattern: userppatt1 #A DN pattern used to log users directly in to the LDAP database. This pattern is used to create a DN string for "direct" user authentication, and is relative to the base DN in the LDAP URL. For example: uid={0},ou=People allowUserToAccessProfile: false #When set, users created after logging in using LDAP will be able to access their profile page in Artifactory autoCreateUser: true #When set, Artifactory will automatically create new users for those who have logged in using LDAP, and assign them to the default groups enabled: true #When set, these settings are enabled userDnPattern: userppatt1 #A DN pattern used to log users directly in to the LDAP database. This pattern is used to create a DN string for "direct" user authentication, and is relative to the base DN in the LDAP URL. For example: uid={0},ou=People allowUserToAccessProfile: false #When set, users created after logging in using LDAP will be able to access their profile page in Artifactory autoCreateUser: true #When set, Artifactory will automatically create new users for those who have logged in using LDAP, and assign them to the default groups enabled: true #When set, these settings are enabled ldap5: #The unique ID of the LDAP setting emailAttribute: email1 #An attribute that can be used to map a user's email to a user created automatically by Artifactory ldapPoisoningProtection: true #When set to true (recommended), Artifactory will protect against LDAP poisoning by filtering out users exposed to vulnerability ldapUrl: ldap://myserver:myport/dc=sampledomain,dc=com #Location of the LDAP server in the following format: ldap://myserver:myport/dc=sampledomain,dc=com. The URL should include the base DN used to search for and/or authenticate users search: managerDn: manager1 #The full DN of a user with permissions that allow querying the LDAP server. When working with LDAP Groups, the user should have permissions for any extra group attributes such as memberOf managerPassword: managerpass1 #The password of the user binding to the LDAP server when using "search" authentication searchBase: searchbase1 #The Context name in which to search relative to the base DN in the LDAP URL. Multiple search bases may be specified separated by a pipe ( | ). This is parameter is optional searchFilter: searchfilter1 #A filter expression used to search for the user DN that is used in LDAP authentication. Possible examples are: uid={0}) - this would search for a username match on the uid attribute. Authentication using LDAP is performed from the DN found if successful searchSubTree: true #When set, enables deep search through the sub-tree of the LDAP URL + Search Base ldapGroupSettings: #LDAP group(s) settings name1: #The unique ID of the LDAP group setting descriptionAttribute: desc1 #An attribute on the group entry which denoting the group description. Used when importing groups enabledLdap: enabled1 #The LDAP setting (from the ldapSettings section) you want to use for group retrieval filter: filter1 #The LDAP filter used to search for group entries. Used when importing groups groupBaseDn: groupbase1 #A search base for group entry DNs, relative to the DN on the LDAP server's URL (and not relative to the LDAP Setting's "searchBase"). Used when importing groups groupMemberAttribute: uniqueMember #A multi-value attribute on the group entry containing user DNs or IDs of the group members (e.g., uniqueMember,member) groupNameAttribute: groupName #Attribute on the group entry denoting the group name. Used when importing groups strategy: STATIC #Group synchronization strategy subTree: false SecondGroup: #The unique ID of the LDAP group setting descriptionAttribute: desc1 #An attribute on the group entry which denoting the group description. Used when importing groups enabledLdap: enabled1 #The LDAP setting (from the ldapSettings section) you want to use for group retrieval filter: filter1 #The LDAP filter used to search for group entries. Used when importing groups groupBaseDn: groupbase1 #A search base for group entry DNs, relative to the DN on the LDAP server's URL (and not relative to the LDAP Setting's "searchBase"). Used when importing groups groupMemberAttribute: uniqueMember #A multi-value attribute on the group entry containing user DNs or IDs of the group members (e.g., uniqueMember,member) groupNameAttribute: groupName #Attribute on the group entry denoting the group name. Used when importing groups strategy: HIERARCHY #Group synchronization strategy subTree: false thirdRock: #The unique ID of the LDAP group setting descriptionAttribute: desc1 #An attribute on the group entry which denoting the group description. Used when importing groups enabledLdap: enabled1 #The LDAP setting (from the ldapSettings section) you want to use for group retrieval filter: filter1 #The LDAP filter used to search for group entries. Used when importing groups groupBaseDn: groupbase1 #A search base for group entry DNs, relative to the DN on the LDAP server's URL (and not relative to the LDAP Setting's "searchBase"). Used when importing groups groupMemberAttribute: uniqueMember #A multi-value attribute on the group entry containing user DNs or IDs of the group members (e.g., uniqueMember,member) groupNameAttribute: groupName #Attribute on the group entry denoting the group name. Used when importing groups strategy: DYNAMIC #Group synchronization strategy subTree: false crowdSettings: #Crowd / JIRA users management configuration applicationName: myApp #The application name configured for Artifactory in Crowd / JIRA password: password #The application password configured for Artifactory in Crowd / JIRA serverUrl: http://someurl.com #The full URL of the server to use sessionValidationInterval: 0 #The time window, in minutes, in which the session does not need to be revalidated enableIntegration: false #Set this checkbox to enable security integration with Atlassian Crowd or JIRA noAutoUserCreation: false #When set to true, authenticated users will not be automatically created inside Artifactory. Instead, for every request from a Crowd / JIRA user, the user is temporarily associated with default groups (if such groups are defined), and the permissions for these groups applies useDefaultProxy: false directAuthentication: false samlSettings: #SAML SSO settings oktaApp: #the setting name enableIntegration: false #When set, SAML integration is enabled and users may be authenticated via a SAML server certificate: <certificate from identity provider> #The X.509 certificate that contains the public key. The certificate must contain the public key to allow Artifactory to verify sign-in requests emailAttribute: #If noAutoUserCreation is set to false or an internal user exists, Artifactory will set the user's email to the value in this attribute that is returned by the SAML login XML response. groupAttribute: #The group attribute in the SAML login XML response loginUrl: http://someurl.com/login #The identity provider login URL (when you try to login, the service provider redirects to this URL) logoutUrl: http://someurl.com/logout #The identity provider logout URL (when you try to logout, the service provider redirects to this URL) noAutoUserCreation: true #When set, for every request from a SAML user, the user is temporarily associated with default groups (if such groups are defined), and the permissions for these groups apply. Without automatic user creation, you must manually create the user inside Artifactory to manage user permissions not attached to their default groups. When not set, authenticated users are automatically created in Artifactory. allowUserToAccessProfile: false #Auto created users will have access to their profile page and will be able to perform actions such as generate API key autoRedirect: false #When set, clicking on the login link will direct users to the configured SAML login URL syncGroups: false #When set, in addition to the groups the user is already associated with, he will also be associated with the groups returned in the SAML login response. Note that the user's association with the returned groups is not persistent. It is only valid for the current login session. verifyAudienceRestriction: True serviceProviderName: serviceProvider #the Identity provider ID
Limitations of Access Bootstrap YAML File
The limitations stem from the principle that the YAML configuration file is designated for configuration of new Artifactory instances that have not been used before.
Ensure that no YAML file with a similar filename already exists. If a similar configuration file exists it might override this file.
After loading, the YAML configuration file will be deleted.
Access Bootstrap Configuration
security: #Security configuration (LDAP, SAML, Password Policy, ...) ldapSettings: #LDAP server(s) settings ldap1: #The unique ID of the LDAP setting emailAttribute: email1 #An attribute that can be used to map a user's email to a user created automatically by Artifactory ldapPoisoningProtection: true #When set to true (recommended), Artifactory will protect against LDAP poisoning by filtering out users exposed to vulnerability ldapUrl: ldap://myserver:myport/dc=sampledomain,dc=com #Location of the LDAP server in the following format: ldap://myserver:myport/dc=sampledomain,dc=com. The URL should include the base DN used to search for and/or authenticate users search: managerDn: manager1 #The full DN of a user with permissions that allow querying the LDAP server. When working with LDAP Groups, the user should have permissions for any extra group attributes such as memberOf managerPassword: managerpass1 #The password of the user binding to the LDAP server when using "search" authentication searchBase: searchbase1 #The Context name in which to search relative to the base DN in the LDAP URL. Multiple search bases may be specified separated by a pipe ( | ). This is parameter is optional searchFilter: searchfilter1 #A filter expression used to search for the user DN that is used in LDAP authentication. Possible examples are: uid={0}) - this would search for a username match on the uid attribute. Authentication using LDAP is performed from the DN found if successful searchSubTree: true #When set, enables deep search through the sub-tree of the LDAP URL + Search Base userDnPattern: userppatt1 #A DN pattern used to log users directly in to the LDAP database. This pattern is used to create a DN string for "direct" user authentication, and is relative to the base DN in the LDAP URL. For example: uid={0},ou=People allowUserToAccessProfile: false #When set, users created after logging in using LDAP will be able to access their profile page in Artifactory autoCreateUser: true #When set, Artifactory will automatically create new users for those who have logged in using LDAP, and assign them to the default groups enabled: true #When set, these settings are enabled
security: #Security configuration (LDAP, SAML, Password Policy, ...) ldapGroupSettings: #LDAP group(s) settings name1: #The unique ID of the LDAP group setting descriptionAttribute: desc1 #An attribute on the group entry which denoting the group description. Used when importing groups enabledLdap: enabled1 #The LDAP setting (from the ldapSettings section) you want to use for group retrieval filter: filter1 #The LDAP filter used to search for group entries. Used when importing groups groupBaseDn: groupbase1 #A search base for group entry DNs, relative to the DN on the LDAP server's URL (and not relative to the LDAP Setting's "searchBase"). Used when importing groups groupMemberAttribute: uniqueMember #A multi-value attribute on the group entry containing user DNs or IDs of the group members (e.g., uniqueMember,member) groupNameAttribute: groupName #Attribute on the group entry denoting the group name. Used when importing groups strategy: STATIC | DYNAMIC | HIERARCHY #Group synchronization strategy subTree: false
security: #Security configuration (LDAP, SAML, Password Policy, ...) crowdSettings: #Crowd / JIRA users management configuration applicationName: myApp #The application name configured for Artifactory in Crowd / JIRA password: password #The application password configured for Artifactory in Crowd / JIRA serverUrl: http://someurl.com #The full URL of the server to use sessionValidationInterval: 0 #The time window, in minutes, in which the session does not need to be revalidated enableIntegration: false #Set this checkbox to enable security integration with Atlassian Crowd or JIRA noAutoUserCreation: false #When set to true, authenticated users will not be automatically created inside Artifactory. Instead, for every request from a Crowd / JIRA user, the user is temporarily associated with default groups (if such groups are defined), and the permissions for these groups applies useDefaultProxy: false #If set and a default proxy definition exists, it is used to pass through to the Crowd / JIRA Server directAuthentication: false #Authenticate using credentials instead of the default session, token-based authentication. This is required for use with JIRA User Server.
security: #Security configuration (LDAP, SAML, Password Policy, ...) httpSsoSettings: #HTTP SSO configuration httpSsoProxied: false #When set, Artifactory trusts incoming requests and reuses the remote user originally set on the request by the SSO of the HTTP server remoteUserRequestVariable: remoter #The name of the HTTP request variable to use for extracting the user identity. Default is: REMOTE_USER allowUserToAccessProfile: false #When set, users created after authenticating using HTTP SSO, will be able to access their profile. This means they are able to generate their API Key and set their password for future use noAutoUserCreation: false #When set to true, authenticated users will not be automatically created inside Artifactory. Instead, for every request from a Crowd / JIRA user, the user is temporarily associated with default groups (if such groups are defined), and the permissions for these groups applies