jfrog-cli
jfrog-cli copied to clipboard
jfrog
unable to scan artifacts - on demend scan
Hi ! After launch local directory scan i receive: 14:26:49 [🔵Info] JFrog Xray version is: 3.44.2 14:26:49 [🔵Info] JFrog Xray Indexer 3.44.2 is not cached locally. Downloading it now... 14:26:49 [🚨Error] failed while attempting to download Xray indexer: 401 Unauthorized received when attempting to download https://domain_name/xray/api/v1/indexer-resources/download/linux/amd64. An error occurred while trying to read the body of the response: http: read on closed response body What permissions in artifactory are required to scan artifacts locally?
Running into this too.
Situation
- User is a service account that is owned by Artifactory (not from SSO, LDAP, or anything else).
- User has no password, only an unexpired modern JWT Access Token (not a legacy API Key).
- User is part of the
readersgroup, which can read everything. - A different user, with zero permissions other than being in the
readersgroup BUT HAS A PASSWORD is able to fetch this resource. - My user, an administrator user, is able to fetch this resource using an unexpired modern JWT Access Token (not a legacy API Key).
- Tested both through the JFrog CLI as well as over the REST API.
| Admin? | Uses PW? | Uses JWT? | Success? | |
|---|---|---|---|---|
| Me | ✓ | - | ✓ | ✓ |
| User 1 | - | ✓ | - | ✓ |
| User 2 | - | - | ✓ | - |
Presumably, there is an undocumented permission that is necessary (or something missed in auth validation) causing this error.
REST API
$curl -i \
-H "Authorization: Bearer $ARTIFACTORY_ACCESS_TOKEN" \
"https://{ENDPOINT}/xray/api/v1/indexer-resources/download/linux/amd64"
HTTP/2 401
date: Fri, 17 Feb 2023 19:47:29 GMT
content-type: text/plain; charset=utf-8
content-length: 31
set-cookie: AWSALB={REDACTED}
set-cookie: AWSALBCORS={REDACTED}
{"error":"Found invalid token"}
Looked for answers
Looked for an answer by performing an in-browser search on these pages:
- https://www.jfrog.com/confluence/display/JFROG/Xray+REST+API
- https://www.jfrog.com/confluence/display/JFROG/JFrog+Platform+REST+API
- https://www.jfrog.com/confluence/display/JFROG/Artifactory+REST+API
- https://www.jfrog.com/confluence/display/JFROG/Distribution+REST+API
- https://www.jfrog.com/confluence/display/JFROG/Pipelines+REST+API
Also attempted to use the search field at https://support.jfrog.com/s/ to search the knowledge base, but it seems to want to split on - when I search for indexer-resources, so I get lots of completely unrelated results for indexer and resources.
Also attempted to use the Confluence search, but it (also) seems to want to split on - when I search for indexer-resources, so I get lots of completely unrelated results for indexer and resources.
Also performed a Google search for the information. Of the few results there were, this GitHub Issue was the only relevant one.
Version and License
EnterpriseX license
Artifactory v7.47.15 (rev 74715900)
Xray v3.59.4
Today is February 2023. This has been open since November 2022 with zero response from JFrog. So I'm pinging every user with more than a single commit to this repo, that doesn't have "bot" in its name in order to get some visibility and action from JFrog.
@AlexeiVainshtein @Asaf @asafgabai @attiasas @barbelity @DimaNevelev @eyalb4doc @eyalbe4 @freddy33 @gailazar300 @galusben @liron-shalom @omerzi @Or-Geva @RobiNino @sverdlov93 @talarian1 @TamirHadad @yahavi @yoav
Interesting timing on your comment @skyzyx, I hit this issue today too. I can't speak to the permissions issue since my user is an admin, and specifically since xray/api/v1/indexer-resources/download api endpoint doesn't appear to be documented. However, I was attempting this with a user-scoped identity token that I had generated via my user profile page. It turns out that these are always reference tokens and it wasn't working for me! I went through the access token ui and generated a token scoped to my user there and the download started working for me. Sounds like a different issue than what you're seeing but maybe it'll help someone else.
@Rigdon:
-
When you say "reference tokens", are those the shorter ones that show up in the UI?
-
We're generating/rotating these tokens using the REST API. They result in JWTs.
Updated my post to specify that these are JWTs and not the shorter tokens.
That's right. I thought it seemed like a different root issue from you're seeing but was the same symptom.
On Fri, Feb 17, 2023, 4:59 PM Ryan Parman @.***> wrote:
@Rigdon https://github.com/Rigdon:
When you say "reference tokens", are those the shorter ones that show up in the UI?
We're generating/rotating these tokens using the REST API. They result in JWTs.
— Reply to this email directly, view it on GitHub https://github.com/jfrog/jfrog-cli/issues/1764#issuecomment-1435322027, or unsubscribe https://github.com/notifications/unsubscribe-auth/AALTFOFIZP2POGPR7UIQE3TWX7YDXANCNFSM6AAAAAASI64Y4I . You are receiving this because you were mentioned.Message ID: @.***>
Hi @skyzyx, @marasCw, Thanks for reporting. The required user should be a user with Xray permissions, no password, or specific admin permission is needed. Can you please share the RestAPI you used to create the user/token?
We manage 100% of our users, groups, and permissions with Terraform.
- https://registry.terraform.io/providers/jfrog/artifactory/latest/docs/resources/managed_user
- https://registry.terraform.io/providers/jfrog/artifactory/latest/docs/resources/group
- https://registry.terraform.io/providers/jfrog/artifactory/latest/docs/resources/permission_target
Everything was created with a provider version in the v6.x range. I'm not sure what endpoint the provider calls behind the scenes.
Hi, @skyzyx I am not familiar with terraform user creation but it looks like your token has no Xray permissions (only artifactory permissions)
So… how do we go about granting Xray permissions to users? That bit is unclear.
My advice is to contact JFrog support and they will know to provide the best solution for the missing permissions.
hi, do you have an update on this matter ? I'm facing the same problem....
Hi @cristina-rosca, Can you provide full logs with JFROG_CLI_LOG_LEVEL=DEBUG environment variable? Are you using credentials with Xray permissions?
@sverdlov93 , here are the logs with JFROG_CLI_LOG_LEVEL=DEBUG
root@dc664b1b1f80:~# jf docker scan "image-name" 08:23:05 [Debug] JFrog CLI version: 2.36.1 08:23:05 [Debug] OS/Arch: linux/amd64 08:23:05 [Debug] Sending HTTP GET request to: https://artifactory-base-url:443/xray/api/v1/system/version 08:23:05 [Debug] Usage Report: Sending info... 08:23:05 [Debug] Sending HTTP GET request to: https://artifactory-base-url:443/artifactory/api/system/version 08:23:05 [�Info] Creating image archive... 08:23:05 [Debug] Artifactory response: 200 08:23:05 [Debug] JFrog Artifactory version is: 7.49.3 08:23:05 [Debug] Sending HTTP POST request to: https://artifactory-base-url:443/artifactory/api/system/usage 08:23:05 [Debug] Usage Report: Usage info sent successfully. Artifactory response: 200 08:23:09 [Debug] Sending HTTP GET request to: https://artifactory-base-url:443/xray/api/v1/system/version 08:23:09 [�Info] JFrog Xray version is: 3.64.3 08:23:09 [Debug] Creating lock in: /home/frogger/.jfrog/locks/xray-indexer 08:23:09 [�Info] JFrog Xray Indexer 3.64.3 is not cached locally. Downloading it now... 08:23:09 [Debug] Sending HTTP GET request to: https://artifactory-base-url:443/xray/api/v1/indexer-resources/download/linux/amd64 08:23:09 [Debug] Releasing lock: /home/frogger/.jfrog/locks/xray-indexer/jfrog-cli.conf.lck.265.1683188589658167600 08:23:09 [�Error] failed while attempting to download Xray indexer: failed while attempting to download 'https://artifactory-base-url:443/xray/api/v1/indexer-resources/download/linux/amd64': server response: 401 Unauthorized
I think I'm using credentials with xray permission because my technical user (the one with the token) is in the same group as the user with a password.
@cristina-rosca
Did you run the jf config add with the URL and access token?
Is it a full JWT or reference token?
If it's a JWT you can use https://jwt.io/ to parse your Access Token and see if the aud section contains jfxr.
@sverdlov93 the aud section of the jwt contains jfrt not jfxr. And it is a full JWT. Thank you!
@sverdlov93 , FYI , my Artifactory Admin managed to create us a technical user that has both Artifactory and Xray permissions and the scan works! Thanks for your help !
We've run into the same problem. Our tokens were created via the security/token API. If I create user-scoped token through the UI, it seems capable of adding the permissions to access XRay APIs.
Does the REST API not allow granting of permissions for the XRay service? If that is supported, how would we do that?
Hi! Could you be more specific We are using Artifactory/Xray EnterpriseX license on self hosted server. IMHO in this case there are no separate Xray and Artifactory permissions. Could you provide some hints how "Xray permissions" is granted via gui or rest api to specific user?
Hi, @skyzyx I am not familiar with terraform user creation but it looks like your token has no Xray permissions (only artifactory permissions)
Support told us to send logs instead of just providing the instructions. It can't possibly be that complicated.
Hi! Could you be more specific We are using Artifactory/Xray EnterpriseX license on self hosted server. IMHO in this case there are no separate Xray and Artifactory permissions. Could you provide some hints how "Xray permissions" is granted via gui or rest api to specific user?
Hi @marasCw. The problem appears to be that the security/token API doesn't add the right "services" the way that creating the token through the GUI does. We tried switching to the access/api/v1/token and it worked.
Note: Creating tokens for other users (i.e. subject doesn't match username) requires a token with scope applied-permissions/admin (even if the user is considered an Administrator).
@eweiser-sxm said:
The problem appears to be that the
security/tokenAPI doesn't add the right "services" the way that creating the token through the GUI does.We tried switching to the
access/api/v1/tokenand it worked.
We ran into this about a year or so ago. The primary API for generating tokens was changed in a backwards-incompatible way mid-cycle in the 7.x releases. security/token stopped doing the right things, and access/api/v1/token became the new way to do it, but neither the docs nor the support team had been adequately updated at the time. We lost weeks in our migration to v7 as a result.
Note: Creating tokens for other users (i.e. subject doesn't match username) requires a token with scope
applied-permissions/admin(even if the user is considered an Administrator).
To be clear: My understanding is that the Actor which generates tokens for others must itself (a) be an admin, and (b) have an admin-level token. (Because it's possible for an admin account to have a user-level token.)
You might be saying the same thing, but your phrasing sounded a little ambiguous to me, so I wanted to clarify what I thought I was reading.
Having said that, we are generating tokens over the API using access/api/v1/token, from an Actor who is an admin + has an admin token. Our users are still running into the issue I posted in this thread back in February 2023. Same matrix of what works and what doesn't.