You can set up a JFrog Platform environment quickly using bootstrap YAML files. You can use the Artifactory bootstrap YAML file to set up the environment and create repositories, and create an Access bootstrap YAML file to set the access configurations for access provider authentication.
Note
The Access Bootstrap YAML file is available from Artifactory version 7.63 and later. The information in this YAML file can be retrieved using the Export Access Configuration REST API.Export Access Configuration
Note
Starting from Artifactory version 7.126.3, the JFrog Platform supports making changes to the access.security.bootstrap.yml file without creating a new configuration or modifying the existing Artifactory YAML file.
Location and Usage of Access Bootstrap YAML File
Create a YAML file with the name, access.security.bootstrap.yml , and place it under $JFROG_HOME/artifactory/var/etc/access/ and restart the services so that the configuration in the YAML file is loaded in the system.
Warning
If there are existing configurations with same name in the system, the configurations in the YAML file overwrite the current configuration.
The following snippet shows an example of the YAML configuration file template.
security: #Security configuration (LDAP, SAML, Password Policy,...)
httpSsoSettings: #HTTP SSO configuration
httpSsoProxied: false #When set, Artifactory trusts incoming requests and reuses the remote user originally set on the request by the SSO of the HTTP server
remoteUserRequestVariable: remoter11 #The name of the HTTP request variable to use for extracting the user identity. Default is: REMOTE_USER
allowUserToAccessProfile: false #When set, users created after authenticating using HTTP SSO, will be able to access their profile. This means they are able to generate their API Key and set their password for future use
noAutoUserCreation: false #When set to true, authenticated users will not be automatically created inside Artifactory. Instead, for every request from a Crowd / JIRA user, the user is temporarily associated with default groups (if such groups are defined), and the permissions for these groups applies
ldapSettings: #LDAP server(s) settings
ldap1: #The unique ID of the LDAP setting
emailAttribute: email1 #An attribute that can be used to map a user's email to a user created automatically by Artifactory
ldapPoisoningProtection: true #When set to true (recommended), Artifactory will protect against LDAP poisoning by filtering out users exposed to vulnerability
ldapUrl: ldap://myserver:myport/dc=sampledomain,dc=com #Location of the LDAP server in the following format: ldap://myserver:myport/dc=sampledomain,dc=com. The URL should include the base DN used to search for and/or authenticate users
search:
managerDn: manager1 #The full DN of a user with permissions that allow querying the LDAP server. When working with LDAP Groups, the user should have permissions for any extra group attributes such as memberOf
managerPassword: managerpass1 #The password of the user binding to the LDAP server when using "search" authentication
searchBase: searchbase1 #The Context name in which to search relative to the base DN in the LDAP URL. Multiple search bases may be specified separated by a pipe ( | ). This is parameter is optional
searchFilter: searchfilter1 #A filter expression used to search for the user DN that is used in LDAP authentication. Possible examples are: uid={0}) - this would search for a username match on the uid attribute. Authentication using LDAP is performed from the DN found if successful
searchSubTree: true #When set, enables deep search through the sub-tree of the LDAP URL + Search Base
userDnPattern: userppatt1 #A DN pattern used to log users directly in to the LDAP database. This pattern is used to create a DN string for "direct" user authentication, and is relative to the base DN in the LDAP URL. For example: uid={0},ou=People
allowUserToAccessProfile: false #When set, users created after logging in using LDAP will be able to access their profile page in Artifactory
autoCreateUser: true #When set, Artifactory will automatically create new users for those who have logged in using LDAP, and assign them to the default groups
enabled: true #When set, these settings are enabled
userDnPattern: userppatt1 #A DN pattern used to log users directly in to the LDAP database. This pattern is used to create a DN string for "direct" user authentication, and is relative to the base DN in the LDAP URL. For example: uid={0},ou=People
allowUserToAccessProfile: false #When set, users created after logging in using LDAP will be able to access their profile page in Artifactory
autoCreateUser: true #When set, Artifactory will automatically create new users for those who have logged in using LDAP, and assign them to the default groups
enabled: true #When set, these settings are enabled
ldap5: #The unique ID of the LDAP setting
emailAttribute: email1 #An attribute that can be used to map a user's email to a user created automatically by Artifactory
ldapPoisoningProtection: true #When set to true (recommended), Artifactory will protect against LDAP poisoning by filtering out users exposed to vulnerability
ldapUrl: ldap://myserver:myport/dc=sampledomain,dc=com #Location of the LDAP server in the following format: ldap://myserver:myport/dc=sampledomain,dc=com. The URL should include the base DN used to search for and/or authenticate users
search:
managerDn: manager1 #The full DN of a user with permissions that allow querying the LDAP server. When working with LDAP Groups, the user should have permissions for any extra group attributes such as memberOf
managerPassword: managerpass1 #The password of the user binding to the LDAP server when using "search" authentication
searchBase: searchbase1 #The Context name in which to search relative to the base DN in the LDAP URL. Multiple search bases may be specified separated by a pipe ( | ). This is parameter is optional
searchFilter: searchfilter1 #A filter expression used to search for the user DN that is used in LDAP authentication. Possible examples are: uid={0}) - this would search for a username match on the uid attribute. Authentication using LDAP is performed from the DN found if successful
searchSubTree: true #When set, enables deep search through the sub-tree of the LDAP URL + Search Base
ldapGroupSettings: #LDAP group(s) settings
name1: #The unique ID of the LDAP group setting
descriptionAttribute: desc1 #An attribute on the group entry which denoting the group description. Used when importing groups
enabledLdap: enabled1 #The LDAP setting (from the ldapSettings section) you want to use for group retrieval
filter: filter1 #The LDAP filter used to search for group entries. Used when importing groups
groupBaseDn: groupbase1 #A search base for group entry DNs, relative to the DN on the LDAP server's URL (and not relative to the LDAP Setting's "searchBase"). Used when importing groups
groupMemberAttribute: uniqueMember #A multi-value attribute on the group entry containing user DNs or IDs of the group members (e.g., uniqueMember,member)
groupNameAttribute: groupName #Attribute on the group entry denoting the group name. Used when importing groups
strategy: STATIC #Group synchronization strategy
subTree: false
SecondGroup: #The unique ID of the LDAP group setting
descriptionAttribute: desc1 #An attribute on the group entry which denoting the group description. Used when importing groups
enabledLdap: enabled1 #The LDAP setting (from the ldapSettings section) you want to use for group retrieval
filter: filter1 #The LDAP filter used to search for group entries. Used when importing groups
groupBaseDn: groupbase1 #A search base for group entry DNs, relative to the DN on the LDAP server's URL (and not relative to the LDAP Setting's "searchBase"). Used when importing groups
groupMemberAttribute: uniqueMember #A multi-value attribute on the group entry containing user DNs or IDs of the group members (e.g., uniqueMember,member)
groupNameAttribute: groupName #Attribute on the group entry denoting the group name. Used when importing groups
strategy: HIERARCHY #Group synchronization strategy
subTree: false
thirdRock: #The unique ID of the LDAP group setting
descriptionAttribute: desc1 #An attribute on the group entry which denoting the group description. Used when importing groups
enabledLdap: enabled1 #The LDAP setting (from the ldapSettings section) you want to use for group retrieval
filter: filter1 #The LDAP filter used to search for group entries. Used when importing groups
groupBaseDn: groupbase1 #A search base for group entry DNs, relative to the DN on the LDAP server's URL (and not relative to the LDAP Setting's "searchBase"). Used when importing groups
groupMemberAttribute: uniqueMember #A multi-value attribute on the group entry containing user DNs or IDs of the group members (e.g., uniqueMember,member)
groupNameAttribute: groupName #Attribute on the group entry denoting the group name. Used when importing groups
strategy: DYNAMIC #Group synchronization strategy
subTree: false
crowdSettings: #Crowd / JIRA users management configuration
applicationName: myApp #The application name configured for Artifactory in Crowd / JIRA
password: password #The application password configured for Artifactory in Crowd / JIRA
serverUrl: http://someurl.com #The full URL of the server to use
sessionValidationInterval: 0 #The time window, in minutes, in which the session does not need to be revalidated
enableIntegration: false #Set this checkbox to enable security integration with Atlassian Crowd or JIRA
noAutoUserCreation: false #When set to true, authenticated users will not be automatically created inside Artifactory. Instead, for every request from a Crowd / JIRA user, the user is temporarily associated with default groups (if such groups are defined), and the permissions for these groups applies
useDefaultProxy: false
directAuthentication: false
samlSettings: #SAML SSO settings
TestSAML: #The name of the SAML configuration
enableIntegration: false #When set, SAML integration is enabled and users may be authenticated via a SAML server
certificate: meekus #The X.509 certificate that contains the public key. The certificate must contain the public key to allow Artifactory to verify sign-in requests
emailAttribute: HanswlMcDonald@zoo.com #If noAutoUserCreation is set to false or an internal user exists, Artifactory will set the user's email to the value in this attribute that is returned by the SAML login XML response.
groupAttribute: Mugatu #The group attribute in the SAML login XML response
loginUrl: http://rufus.com/login #The identity provider login URL (when you try to login, the service provider redirects to this URL)
logoutUrl: http://brint.com/logout #The identity provider logout URL (when you try to logout, the service provider redirects to this URL)
noAutoUserCreation: true #When set, for every request from a SAML user, the user is temporarily associated with default groups (if such groups are defined), and the permissions for these groups apply. Without automatic user creation, you must manually create the user inside Artifactory to manage user permissions not attached to their default groups. When not set, authenticated users are automatically created in Artifactory.
allowUserToAccessProfile: false #Auto created users will have access to their profile page and will be able to perform actions such as generate API key
autoRedirect: false #When set, clicking on the login link will direct users to the configured SAML login URL
syncGroups: false #When set, in addition to the groups the user is already associated with, he will also be associated with the groups returned in the SAML login response. Note that the user's association with the returned groups is not persistent. It is only valid for the current login session.
verifyAudienceRestriction: True #Wh
serviceProviderName: serviceProvider
Magnum:
enableIntegration: false #When set, SAML integration is enabled and users may be authenticated via a SAML server
certificate: stiller #The X.509 certificate that contains the public key. The certificate must contain the public key to allow Artifactory to verify sign-in requests
emailAttribute: ben@owen.com #If noAutoUserCreation is set to false or an internal user exists, Artifactory will set the user's email to the value in this attribute that is returned by the SAML login XML response.
groupAttribute: Mugatu #The group attribute in the SAML login XML response
loginUrl: http://rufus.com/login #The identity provider login URL (when you try to login, the service provider redirects to this URL)
logoutUrl: http://brint.com/logout #The identity provider logout URL (when you try to logout, the service provider redirects to this URL)
noAutoUserCreation: true #When set, for every request from a SAML user, the user is temporarily associated with default groups (if such groups are defined), and the permissions for these groups apply. Without automatic user creation, you must manually create the user inside Artifactory to manage user permissions not attached to their default groups. When not set, authenticated users are automatically created in Artifactory.
allowUserToAccessProfile: false #Auto created users will have access to their profile page and will be able to perform actions such as generate API key
autoRedirect: false #When set, clicking on the login link will direct users to the configured SAML login URL
syncGroups: false #When set, in addition to the groups the user is already associated with, he will also be associated with the groups returned in the SAML login response. Note that the user's association with the returned groups is not persistent. It is only valid for the current login session.
verifyAudienceRestriction: True
serviceProviderName: serviceProvider #the Identity provider ID
Limitations of Access Bootstrap YAML File
The limitations stem from the principle that the YAML configuration file is designated for configuration of new Artifactory instances that have not been used before.
Ensure that no YAML file with a similar filename already exists. If a similar configuration file exists it might override this file.
After loading, the YAML configuration file will be deleted.
Access Bootstrap Configuration
security: #Security configuration (LDAP, SAML, Password Policy, ...)
ldapSettings: #LDAP server(s) settings
ldap1: #The unique ID of the LDAP setting
emailAttribute: email1 #An attribute that can be used to map a user's email to a user created automatically by Artifactory
ldapPoisoningProtection: true #When set to true (recommended), Artifactory will protect against LDAP poisoning by filtering out users exposed to vulnerability
ldapUrl: ldap://myserver:myport/dc=sampledomain,dc=com #Location of the LDAP server in the following format: ldap://myserver:myport/dc=sampledomain,dc=com. The URL should include the base DN used to search for and/or authenticate users
search:
managerDn: manager1 #The full DN of a user with permissions that allow querying the LDAP server. When working with LDAP Groups, the user should have permissions for any extra group attributes such as memberOf
managerPassword: managerpass1 #The password of the user binding to the LDAP server when using "search" authentication
searchBase: searchbase1 #The Context name in which to search relative to the base DN in the LDAP URL. Multiple search bases may be specified separated by a pipe ( | ). This is parameter is optional
searchFilter: searchfilter1 #A filter expression used to search for the user DN that is used in LDAP authentication. Possible examples are: uid={0}) - this would search for a username match on the uid attribute. Authentication using LDAP is performed from the DN found if successful
searchSubTree: true #When set, enables deep search through the sub-tree of the LDAP URL + Search Base
userDnPattern: userppatt1 #A DN pattern used to log users directly in to the LDAP database. This pattern is used to create a DN string for "direct" user authentication, and is relative to the base DN in the LDAP URL. For example: uid={0},ou=People
allowUserToAccessProfile: false #When set, users created after logging in using LDAP will be able to access their profile page in Artifactory
autoCreateUser: true #When set, Artifactory will automatically create new users for those who have logged in using LDAP, and assign them to the default groups
enabled: true #When set, these settings are enabledsecurity: #Security configuration (LDAP, SAML, Password Policy, ...)
ldapGroupSettings: #LDAP group(s) settings
name1: #The unique ID of the LDAP group setting
descriptionAttribute: desc1 #An attribute on the group entry which denoting the group description. Used when importing groups
enabledLdap: enabled1 #The LDAP setting (from the ldapSettings section) you want to use for group retrieval
filter: filter1 #The LDAP filter used to search for group entries. Used when importing groups
groupBaseDn: groupbase1 #A search base for group entry DNs, relative to the DN on the LDAP server's URL (and not relative to the LDAP Setting's "searchBase"). Used when importing groups
groupMemberAttribute: uniqueMember #A multi-value attribute on the group entry containing user DNs or IDs of the group members (e.g., uniqueMember,member)
groupNameAttribute: groupName #Attribute on the group entry denoting the group name. Used when importing groups
strategy: STATIC | DYNAMIC | HIERARCHY #Group synchronization strategy
subTree: falsesecurity: #Security configuration (LDAP, SAML, Password Policy, ...)
crowdSettings: #Crowd / JIRA users management configuration
applicationName: myApp #The application name configured for Artifactory in Crowd / JIRA
password: password #The application password configured for Artifactory in Crowd / JIRA
serverUrl: http://someurl.com #The full URL of the server to use
sessionValidationInterval: 0 #The time window, in minutes, in which the session does not need to be revalidated
enableIntegration: false #Set this checkbox to enable security integration with Atlassian Crowd or JIRA
noAutoUserCreation: false #When set to true, authenticated users will not be automatically created inside Artifactory. Instead, for every request from a Crowd / JIRA user, the user is temporarily associated with default groups (if such groups are defined), and the permissions for these groups applies
useDefaultProxy: false #If set and a default proxy definition exists, it is used to pass through to the Crowd / JIRA Server
directAuthentication: false #Authenticate using credentials instead of the default session, token-based authentication. This is required for use with JIRA User Server.security: #Security configuration (LDAP, SAML, Password Policy, ...)
httpSsoSettings: #HTTP SSO configuration
httpSsoProxied: false #When set, Artifactory trusts incoming requests and reuses the remote user originally set on the request by the SSO of the HTTP server
remoteUserRequestVariable: remoter #The name of the HTTP request variable to use for extracting the user identity. Default is: REMOTE_USER
allowUserToAccessProfile: false #When set, users created after authenticating using HTTP SSO, will be able to access their profile. This means they are able to generate their API Key and set their password for future use
noAutoUserCreation: false #When set to true, authenticated users will not be automatically created inside Artifactory. Instead, for every request from a Crowd / JIRA user, the user is temporarily associated with default groups (if such groups are defined), and the permissions for these groups applies