JFROG ACCESS: How to Change Your Default access-admin User Password

Andrei Komarov
2021-10-06 09:16

JFROG ACCESS: How to Change Your Default access-admin User Password

What is Access?

JFrog Access is the service that manages all aspects of authentication and authorization for all JFrog services. It stores all users, groups, permissions, and access tokens generated associated with any connected JFrog service. As an integral part of any JFrog Artifactory installation, the Access service is installed as a separate WAR file in the $ARTIFACTORY_HOME/webapps folder. Artifactory communicates with the Access service over HTTP and assumes it is running on the same Apache Tomcat host running Artifactory, using the /access context path.

What is the 'access-admin' user used for?
 

The interaction between Artifactory and Access is partly enabled (up until version 6.8) through a reliance on basic authentication and an administrative Access user called access-admin. Upon startup, this Access user establishes connectivity with the Access service by providing Artifactory with a special (JWT) Access token, which is thereafter used in every subsequent request as the authentication token.

With this said, JFrog has made security improvements to its products, which include completely dispensing with access-admin in Access/Artifactory interactions. As from Artifactory version 6.8 and above, a new security mechanism is involved, which uses an AES128 symmetric key encrypted-initial temporary token for Artifactory <-> Access validation.

Please be aware of the following:

  • If you are upgrading from an Artifactory version below 6.8 (and any version above 5.6), you are strongly advised to (at least) change the default password for the access-admin user.
  • The access-admin user has a default (IP) address scope for allowed source requests, which is limited to localhost only.
  • Fresh Artifactory installations (above version 6.8) will have an access-admin user created (with a randomly-generated password) as part of the installation process.

How to change the password for 'access-admin'?
 

For Artifactory versions below 6.8: If you’re running an Artifactory HA cluster, be sure to execute your changes on the primary node. You can reset the access-admin user password (which includes cases where the password is unknown or has been forgotten) by following these steps:

  • Before 6.8.0: You can reset the access-admin user password with the following steps (requires an instance/cluster restart):
    – This can also be useful in case the password of the access-admin user is unknown, or you are uncertain about the password.

  1. Create the bootstrap.creds file under $ARTIFACTORY_HOME/access/etc/bootstrap.creds with the following content:
  2. Change permissions for the file using chmod 600 bootstrap.creds
  3. Restart the Artifactory instance, performing a rolling restart for the cluster (i.e., restarting each node beginning with the master node)

For Artifactory versions above 6.8: You may use the method above or the one that follows, as both work well. For the method below, use the curl command tool from Access' (Artifactory's) host machine (NOTE: you’ll need to know the existing password):

  1. Perform an SSH/login inside the Artifactory host machine (if this is an HA cluster, you can do this via any node)
  2. Issue the following command (replacing the newStrongPassword string with your desired password):
  • curl -XPATCH -uaccess-admin:password http://localhost:8040/access/api/v1/users/access-admin -H "Content-Type: application/json" -d '{ "password": "newStrongPassword" }'