How to troubleshoot JFrog Access? [Video]

Mari Yamaguchi
2021-02-02 14:52

JFrog Access troubleshooting examples


Video Transcription

Hi guys, my name is Mari from JFrog. In this video we’ll go over the preliminary steps on how to begin troubleshooting access and security issues.

Here are the four topics we’ll cover in today’s video. The first is, “What is Access?”. The second is, “How does Access work?”. The third is, “How are access and security defined?”. And the fourth is, “The Access logs overview and how to begin troubleshooting with logs”.

JFrog Access is packaged with Artifactory as one of its microservices. More specifically, Access manages authentication and authorization requests for all JFrog services. Access continuously keeps your binary secure by not only ensuring that authorized users have sole access to your binaries, but also by looking beyond access and authorizing actions on the binaries based on permissions.

How does Access work? As I mentioned previously, Access comes packaged with Artifactory. During the installation process, Access is installed with Artifactory under the same Tomcat. Once Artifactory is up and running, it communicates with Access via internal REST API calls. For other services, such as Xray and Mission Control, the connection is made when you set an Artifactory as the authentication provider. And for Distribution, the connection is made through Mission Control’s authentication provider.

There are four ways access and security are defined. The first being users, groups, and permissions; the second being the user profile; the third being access tokens; and the fourth being Access Federation. [inaudible 00:01:48] groups can be created directly within Artifactory or via external authentication services, such as LDAP, SAML, or Crowd. Regardless of the way the users and groups are created, Access’s role enforces the relationships between the users and groups and the permissions they are assigned and makes sure that the user is allowed to perform the desired action.

The user profile provides each user with their API key, email and password, Bintray settings, and binding OAuth accounts. Access tokens provides a capability of time-based access control and is an alternative means of authentication and can be used instead of a user and password. Some popular use cases for access tokens are cross-instance authentication and non-user authentication. Access Federation fully syncs users, groups, permissions, access tokens, and security changes for all of a company’s global JFrog services.

Let’s go over some basics before we go in depth on each Artifactory access log. All Artifactory logs including the access logs are all located under JFrog_HOME/artifactory/var/log. You could tell which of the logs pertain to Artifactory in the console and Artifactory service log based on the service identifier jfac, as you can see right here.

Now let’s go in depth on each access log. The first is the access security audit log; the second is the access requests log; the third is the access service log; and the fourth is the Artifactory access log. So the first is the access security audit log. This log logs creation, update and deletion of users, groups, permission targets, and access tokens. Let’s do a quick troubleshooting exercise. An unknown, new admin user named ‘enemy’ has access to our instance. The user ‘enemy’ has been deleting important artifacts, disrupting production. We need to find out who created ‘enemy’ to find out his or her identity. So if we go back to the previous slide, we can see that the access security audit log logs the creation, update, and deletion of users. We’re going to use this log to find out who created the username ‘enemy’. So as I mentioned before, all the logs are going to be… Right. Okay, great. So in this log, we can see the time, date and user and privileges that the user ‘enemy’ has. We can see that the user that created enemy was ‘his psychic’.

So the access request log provides the HTTP traffic information for the creation, update and deletion of users, groups, permission targets, and access tokens, as well as health checks. Here’s one example of a health check. The differentiator between the access security audit log and access request log is that it will spit out the HTTP response. So you know if it was successful or if there was a permission error.

So the third log is the access service log. This log logs the data on the access server activity. In the last troubleshooting example, we looked into how we can look into the access logs to investigate a security incident. Now, let’s see how we can look into the logs for a failed Artifactory start-up. After tailing the console log, you could see that the first error we see right here is under jfac, which is excess. So now we’ll go into the access service log. Let’s open up our access service log, and over here we can see that the error is regarding a join.key mismatch.

Another way to troubleshoot the logs is through the identification number right here. The identification number groups all logs from all microservices together that relate to their particular error. Just as an example, let’s do this one as well. So over here, you could see that there are logs in both the access service and the console log regarding this identification number. And if we look at the console log, we can trace the full error from start to finish. So the issue here is pretty clear. We’re going to have to fix the join.key file, which is located in the security folder. What we’re going to do is look through all of the other nodes and make sure that the join.key in this node is the same as the join.key in the other nodes. After we confirmed that the join.key is cracked, we’re going to go ahead and save it and restart Artifactory.

We just started up Artifactory and we’re just going to tail the console log to make sure that Artifactory is started up correctly. So over here, you see the message that all services started successfully. So let’s go into our browser, and over here we can see that Artifactory is starting up.

So the last log related to access is the Artifactory access log. Although this log isn’t directly under Access, it does also log information on accept/reject of logins, as well as download browsing and deployment of artifact.

I hope this video was able to give you a little bit more information on how access and security works, as well as how to start debugging issues regarding it. Thanks.