Artifactory 6.6 and above introduces bulid permissions. It may affect current build info deployment process that requires deleting or replacing build info.
6.6.0 and above
Starting Artifactory 6.6.0, following REST APIs require build delete permission:
- Build Upload (only for overriding existing build info)
- Build Promotion (till this Jira is fixed RTFACT-18781 – ETA: Q2)
- Delete Builds
- Build Rename
- Control Build Retention
Without proper permission to delete, the REST APIs may result in HTTP 500 error (RTFACT-19039) in the logs. For example,
$ grep "api/build" request* | grep "|500|"
artifactory.log or catalina.out may print exceptions similar to below:
2019-04-07 03:28:28,763 [http-nio-12000-exec-130] [INFO ] (o.a.r.r.c.BuildResource:318) – Retention policy for build 'mybuild' scheduled to run
2019-04-07 03:28:28,763 [art-exec-31960] [INFO ] (o.a.b.BuildServiceImpl:668) – Async delete of build mybuild number: 2193_win_Release
2019-04-07 03:28:28,765 [art-exec-31960] [ERROR] (o.a.w.q.WorkQueueImpl:130) – Failed to call work queue 'Build Retention Job' callback due to :User 'myuser' is not authorized to delete build info. Delete permission is needed.
Caused by: org.artifactory.rest.exception.ForbiddenException: User 'myuser' is not authorized to delete build info. Delete permission is needed.
Please note that:
- This change does not affect users with Artifactory Admin privileges as the admin users have DELETE permission for builds even after the upgrade to 6.6 and above.
- Following REST APIs did not require Artifactory Admin privilege in versions prior to 6.6.0: Build Upload, Build Promotion, Build Rename, Control Build Retention
Thus, here is what you may do to mitigate disruption after upgrading Artifactory version <6.6.0 to >=6.6.0.
- Identify which non-admin users who will need build DELETE permission by searching Artifactory's request.log files the REST API endpoints above
- Prepare a procedure to update those users' permissions to include build DELETE permission after the upgrade completes
- Upgrade to 6.6. or above (e.g. 6.9.0)
- Add build DELETE permission for the users identified in step #1
Please note that there is a small window that you may see those REST APIs above fail in between step #3 and #4.