API Key User Collection for Self-Hosted Customers

JFrog Platform Administration Documentation

ft:sourceType
Paligo

Artifactory version 7.47.10 includes the ability to collect information regarding how your users are logging in to the system. Using this function, you can detect and notify all users/clients who are using an API Key authentication method that they need to change their authentication method.

Block Creation of New API Keys

Set the property, artifactory.security.apiKey.blockCreate, as true in the $JFROG_HOME/artifactory/var/etc/artifactory/artifactory.system.properties file to block the creation of new API Keys in the JFrog Platform.

The collection feature of the authentication method is enabled by default.

Enable User Collection for Self-Hosted Customers

Run the following command to collect the API Key authentication method in the var/log/artifactory-access.log:

bash-4.4$ cat var/log/artifactory-access.log | grep "\\[ACCEPTED LOGIN\\].*\\[apiKey\\]$"

For example:

2022-11-03T10:26:00.944Z [64f8d13a96f81f10] [ACCEPTED LOGIN] for client : admin / 172.17.0.1. [apiKey]
2022-11-03T10:26:15.252Z [7beab97bfa421337] [ACCEPTED LOGIN] for client : admin / 172.17.0.1. [token]

Obtain the Realm and Authentication Attempts

In cases where simply the username and authentication method is not enough information (for example, if you are trying to track where the API Key is being used), do the following:

  1. Go to this file var/etc/artifactory/logback.xml.

  2. Add the following to the file:

    <logger name="org.artifactory.security" level="debug" additivity="false"> <appender-ref ref="FILE"/>
    </logger>
  3. Then, search for the following in the var/log/artifactory-service.log: "Trying to authenticate user:"

    For example: 'Trying to authenticate user: 'user1' via ldap.'

Collect the Data

  1. JFrog recommends allowing the system to run with the logs enabled for some time (recommended is 3 months).

  2. Run a grep command on the logs you collected (or parse it with your tools) to get all the usernames who used API Keys in the last 3 months. For example:

    bash-4.4$ cat var/log/artifactory-access.log | grep "\\[ACCEPTED LOGIN\\].*\\[apiKey\\]$"
     
    2022-11-08T13:43:33.208Z [1c8a8e6db8a35b8e] [ACCEPTED LOGIN] for client : admin / 172.17.0.1. [apiKey]
     
    2022-11-08T13:43:52.290Z [2d1cefa1c521a36 ] [ACCEPTED LOGIN] for client : admin / 172.17.0.1. [apiKey]
  3. Notify the users detected by the log that they need to change their application keys to Access Tokens or to another authentication method.