How to change the default password for ‘access-admin’ user?

Andrei Komarov
2019-03-13 14:51

What is Access?

JFrog Access is the service that manages all aspects of authentication and authorization for all JFrog services under the hood. It stores all Users, Groups, Permissions and Access Tokens generated by any connected JFrog service.
As an integral part of the JFrog Artifactory installation, the Access service is installed as a separate WAR file under the $ARTIFACTORY_HOME/webapps folder. Artifactory communicates with the Access service over HTTP and assumes it is running in the same Tomcat using the context path of "/access". 

What is the 'access-admin' user used for?

The interaction between Artifactory and Access is partly enabled (until version 6.8.0) by relying on basic authentication and an administrative Access user called access-admin. Upon starting up and establishing connectivity with the Access service (using the access-admin user), Artifactory will get a special (JWT) Access token which will be used in every subsequent request as the authentication token.   
 

In recent changes made as part of security improvements to JFrog’s products, the access-admin is no longer involved (at all) in the interaction between Access and Artifactory.
This is effective on version 6.8.0 and above: Instead a new security mechanism is introduced, which utilizes an AES128 symmetric key encrypted-initial temporary token (instead of the access-admin credentials) which by its turn, fetches a new token for Artifactory to use with any actual post-startup Access bound request.   

  • Please bear in mind that the if you are upgrading from a version below 6.8.0 (and any version above 5.6.0), it is still highly recommended to (at least) change the default password for the access-admin user.

  • The access-admin user has a default address (IP) scope for allowed source(s) requests. The default scope for this administrative user is limited to localhost only.
  • Fresh Artifactory installations (above 6.8.0) will have an access-admin user created with a randomly generated password. 

How to change the password for 'access-admin'?

Artifactory HA version under 6.8.0: In case you are running an Artifactory HA cluster, make sure to do the changes on the primary node. After the last step, perform a rolling restart to the cluster (restart each node starting from the master node).

  • Before 6.8.0: You can reset the access-admin user password with the following steps (requires an instance/cluster restart):
    – This can also be useful in case the password of the access-admin user is unknown, or you are uncertain about the password.

  1. Create the bootstrap.creds file under $ARTIFACTORY_HOME/access/etc/bootstrap.creds with the following content:

access-admin@127.0.0.1=newStrongPassword

  1. Change permissions of the file using chmod 600 bootstrap.creds

  2. Restart the Artifactory instance

  • After 6.8.0: Both using the above and below methods work. Use curl command tool from Access' (Artifactory's) host machine (you must know know the existing password):
  1. SSH/login inside the Artifactory host machine (if this is an HA cluster – it can be any node)

  2. Issue the following command (replace the newStrongPassword string with your password):

curl -XPATCH -uaccess-admin:password http://localhost:8040/access/api/v1/users/access-admin -H "Content-Type: application/json" -d '{ "password": "newStrongPassword" }'