How permissions are managed on virtual repositories in Artifactory? [Video]

Itamar Berman-Eshel
2021-01-28 09:00


When implementing permission targets to grant users and groups of users with access to resources in Artifactory, users usually look for a way to manage access to virtual repositories.
While this is by design not possible, in this short video we demonstrate how to configure access to resources on the local and remote repositories that are aggregated within a virtual repository in order to achieve this goal.


Video Transcription

Hello everyone. My name is Ickermore and I’m from JFrog support team, and in this short video, we’ll briefly talk about Artifactory repository permissions. A question that comes up from many users is how permissions are managed for virtual repositories. So let’s first talk about what virtual repositories are. A virtual repository is basically a collection of local, remote and other virtual repositories, which can be accessed through a single logical URL. So how can we set permissions to access these repositories? The short answer is we can’t. The long answer is that permissions are configured on local and remote repositories only, so when accessing content that is aggregated in a virtual repository, the permissions for that resource are granted based on the local or remote repository permissions.

Let’s see how it looks. I have set up an Artifactory instance with two local repositories, Repo A and Repo B will be, and one virtual repository called filter repo that basically aggregates both local repositories. I’ve also created to users called User A and User B and permission targets that grant permissions accordingly. So in Repo A, permission targets and granting read permissions for User A to access resources on Repo A, and in the Repo B permission targets I’m granting read permissions for User B to access resources on Repo B. So going back to the artifacts you logged in as an admin user, of course, I can see both repositories and I’ve deployed files into repository A called file in Repo A and in Repo B of course I have file in Repo B. Looking in the virtual repository view, I can see both files aggregated in a circle, single layer repository. So let’s run some curl commands to see how it looks like.

In this example, I’m running the curl command as User A, trying to access the virtual repository and trying to download file in Repo A. In this case, the request succeeded because User A has permissions for Repo A, but if I change the file name, trying to access file in Repo B, which as you recall, is inside Repo B, the request fails with a 403, saying download request for Rebel Beth, Repo B is forbidden for use, User A. So if I go to the curl command and switch user to User B, trying to access file in Repo B, the request succeeds. And again, if I switch the file to filing Repo A still using User B, you guessed it, it fails with 403, forbidden for user, User B. Let’s see how this looks in the UI when I’m logging out of the admin view and logged in as one of the users. So I’m logging in with User A.

And you can see that in the artifact view, I have view of only one repository and only one file looking inside the virtual repository, I have access only to file in Repo A, and of course, if I log in with User B, I will only be able to access file in Repo B. That was my video on field trip repository permissions. Thanks for watching, and I hope you enjoyed. Feel free to leave your comments, feedback, or questions in the comments section below.