How can I determine which users need build delete permission?

Joshua Han
2019-04-21 18:11

Summary

Artifactory 6.6 and above introduces bulid permissions. It may affect current build info deployment process that requires deleting or replacing build info.

Affected Versions

6.6.0 and above

Details

Starting Artifactory 6.6.0, following REST APIs require build delete permission:

Without proper permission to delete, the REST APIs may result in HTTP 500 error (RTFACT-19039)  in the logs. For example,

$ grep "api/build" request* | grep "|500|"

20190408131015|2785|REQUEST|11.11.11.11|myuser|POST|/api/build/retention/mybuild|HTTP/1.0|500|129

20190408042449|163|REQUEST|11.11.11.11|myuser2|PUT|/api/build|HTTP/1.0|500|5259

artifactory.log or catalina.out may print exceptions similar to below:

2019-04-07 03:28:28,763 [http-nio-12000-exec-130] [INFO ] (o.a.r.r.c.BuildResource:318) – Retention policy for build 'mybuild' scheduled to run

2019-04-07 03:28:28,763 [art-exec-31960] [INFO ] (o.a.b.BuildServiceImpl:668) – Async delete of build mybuild number: 2193_win_Release

2019-04-07 03:28:28,765 [art-exec-31960] [ERROR] (o.a.w.q.WorkQueueImpl:130) – Failed to call work queue 'Build Retention Job' callback due to :User 'myuser' is not authorized to delete build info. Delete permission is needed.

Caused by: org.artifactory.rest.exception.ForbiddenException: User 'myuser' is not authorized to delete build info. Delete permission is needed.

        at org.artifactory.build.BuildServiceImpl.assertDeletePermissions(BuildServiceImpl.java:1300)

        at org.artifactory.build.BuildServiceImpl.deleteBuild(BuildServiceImpl.java:597)

 

Resolution

Please note that:

  • This change does not affect users with Artifactory Admin privileges as the admin users have DELETE permission for builds even after the upgrade to 6.6 and above.
  • Following REST APIs did not require Artifactory Admin privilege in versions prior to 6.6.0: Build Upload, Build Promotion, Build Rename, Control Build Retention

Thus, here is what you may do to mitigate disruption after upgrading Artifactory version <6.6.0 to >=6.6.0.

  1. Identify which non-admin users who will need build DELETE permission by searching Artifactory's request.log files the REST API endpoints above
  2. Prepare a procedure to update those users' permissions to include build DELETE permission after the upgrade completes
  3. Upgrade to 6.6. or above (e.g. 6.9.0)
  4. Add build DELETE permission for the users identified in step #1

Please note that there is a small window that you may see those REST APIs above fail in between step #3 and #4.