Open swarnendukayal opened 2 years ago
The root cause of this issue is a change in Artifactory 7.31.10.
Workaround:
~Run config command with --enc-password=false
:~
jf config add <server-id> --enc-password=false
Edit: This workaround will not work. Only access tokens are allowed to use with MFA.
Unfortunately, this 'workaround' will not work with the circleci orb at https://circleci.com/developer/orbs/orb/jfrog/artifactory-orb#commands-configure
It only accepts ARTIFACTORY_API_KEY / ARTIFACTORY_URL / ARTIFACTORY_USER and not ENC_PASSWORD It will be good if jfrog updates the orb with all the possible input parameters from jfrog cli
After further investigation, we concluded that this behavior is actually by design in Artifactory 7.31.0 and above.
From this version, in some of the APIs, only access tokens are allowed to be used with MFA.
--enc-password=false
will only help with the configuration, but not with the other commands.
To make things more clear during configuration, we created https://github.com/jfrog/jfrog-cli-core/pull/341 that prints the response from Artifactory.
@kutysam
Since only access tokens are fully supported with MFA, and the Artifactory orb doesn't support access tokens, we suggest using the CLI directly:
You can find here the various ways to install the JFrog CLI: https://jfrog.com/getcli
Configure the JFrog CLI by running jf c add --url=$JFROG_PLATFORM_URL --access-token=$JFROG_ACCESS_TOKEN
See the relevant documentation here: https://www.jfrog.com/confluence/display/CLI/JFrog+CLI#JFrogCLI-JFrogPlatformConfiguration.
Please let us know if you need any further assistance. 🙏🏼
However, it doesn't explain on why a SAML / SSO authenticated user can still login without the enc password and use the API key in CLI.
Additionally, as mentioned, we are using the orb that is provided by jfrog to circleci. Will you guys be updating this orb so that we can specify the enc password parameter.
@kutysam I took this issue with our security and Artifactory teams. We decided to reopen the password encryption API when using MFA with username and password/api-key. After this version, you should be able to work with Artifactory without any issues. This change is expected to take place in the next Artifactory version 7.36.0 and above. We'll keep you updated.
@kutysam, The fix is included in Artifactory 7.36.1 or 7.37.13 and above. No upgrade for the JFrog CLI is needed. Feel free to use it - we'd appreciate your feedback on that.
Description:
If the MFA (Multi-factor authentication) is enabled, none of the Internal users are able to configure the platform. It is giving the error as below -
$ ./jfrog rt c Server ID [test-saas]: test-cloud JFrog platform URL [https://myartifactory.jfrog.io/]: https://myartifactory.jfrog.io/ JFrog access token (Leave blank for username and password/API key): JFrog username [admin]:
JFrog password or API key:
Is the Artifactory reverse proxy configured to accept a client certificate? (y/n) [n]?
[Error] The following error was received while trying to encrypt your password: Artifactory response: 403 Forbidden
Steps to Reproduce:
Expected Behavior: The configuration should happen successfully.
Versions: