Permission targets only get partially applied

[tielou]

Describe the bug

When creating a permission target through Terraform the affected permissions only get partially applied with respect to X-Ray infos. I created a simple scenario with a Docker repository and a test user which only has read and annotate permissions on the respective repository. Meanwhile I pushed a hello-world image to this repository with another user. After logging in, the repository and its content are visible to the test user but the X-Ray tab is not. Once I login as an administrator and simply save the created permission again without changing anything, the X-Ray tab is accessible to the test user. I'm talking about the X-Ray tab under Artifactory -> Artifacts -> xray-permissions-test-repo -> hello-world -> manifest.json.

Requirements for and issue

• 
  resource "random_password" "password_tu" {
  length           = 30
  special          = true
  override_special = "_%@"
  }

resource "artifactory_user" "test" { name = "permission-test-user" email = "test@user.de" password = random_password.password_tu.result }

resource "artifactory_permission_target" "technical_user" { name = "permission-test"

repo { repositories = [artifactory_local_repository.test_repo.key] actions { users { name = artifactory_user.test.name permissions = ["read", "annotate"] } } } }

resource "artifactory_local_repository" "test_repo" { key = "xray-permissions-test-repo" package_type = "docker" repo_layout_ref = "simple-default" xray_index = "true" }

- JFrog cloud platform
- Terraform v0.14.5

**Expected behavior**
Permissions working like set.

**Additional infos**
The system logs don't show any more infos which could lead to the source of the issue.

[chb0github]

Thanks. I will try to have a look at this today

[chb0github]

I am trying to reproduce this at the moment - sorry to take so long

[chb0github]

Also, you didn't include what version of the provider you are using and I don't have a copy-and-paste working example. Please supply those

[chb0github]

I am unable to reproduce this. I do exactly as stated:

Use the before TF to create the resources:

# Required for Terraform 0.13 and up (https://www.terraform.io/upgrade-guides/0-13.html)
terraform {
  required_providers {
    artifactory = {
      source  = "registry.terraform.io/jfrog/artifactory"
      version = "2.2.7"
    }
  }
}
provider "artifactory" {
  url = "https://cbongiorno-test-rt.jfrog.tech"
  username = "admin"
  password = "xxxx"
}
resource "random_password" "password_tu" {
  length           = 30
  special          = true
  override_special = "_%@"
}

resource "artifactory_user" "test" {
  name     = "permission-test-user"
  email    = "test@user.de"
  password = random_password.password_tu.result
}

resource "artifactory_permission_target" "technical_user" {
  name = "permission-test"

  repo {
    repositories = [artifactory_local_repository.test_repo.key]
    actions {
      users {
        name        = artifactory_user.test.name
        permissions = ["read", "annotate"]
      }
    }
  }
}

resource "artifactory_local_repository" "test_repo" {
  key             = "xray-permissions-test-repo"
  package_type    = "docker"
  repo_layout_ref = "simple-default"
  xray_index      = "true"
}

push an image to the new repo:

christianb@unifi terraform-provider-artifactory % docker pull hello-world
Using default tag: latest
latest: Pulling from library/hello-world
b8dfde127a29: Pull complete 
Digest: sha256:308866a43596e83578c7dfa15e27a73011bdd402185a84c5cd7f32a88b501a24
Status: Downloaded newer image for hello-world:latest
docker.io/library/hello-world:latest
christianb@unifi terraform-provider-artifactory % docker tag hello-world cbongiorno-test-rt.jfrog.tech/xray-permissions-test-repo/hello-world
christianb@unifi terraform-provider-artifactory % docker push cbongiorno-test-rt.jfrog.tech/xray-permissions-test-repo/hello-world
Using default tag: latest
The push refers to repository [cbongiorno-test-rt.jfrog.tech/xray-permissions-test-repo/hello-world]
f22b99068db9: Pushed 
latest: digest: sha256:1b26826f602946860c279fce658f31050cff2c596583af237d971f4629b57792 size: 525

And now, login with the test user and go where you say to go:

you can see from the image, I have no issue accessing it.

christianb@unifi terraform-provider-artifactory % curl -snL https://cbongiorno-test-rt.jfrog.tech/artifactory/api/system/version/ | jq -re .version
7.16.3
christianb@unifi terraform-provider-artifactory % terraform -version
Terraform v0.14.7
+ provider registry.terraform.io/hashicorp/random v3.1.0
+ provider registry.terraform.io/jfrog/artifactory v2.2.7

Your version of Terraform is out of date! The latest version
is 0.14.8. You can update by downloading from https://www.terraform.io/downloads.html

Note: I pushed the docker image and ran the terraform script as admin, but accessed it only with the new user in incognito mode.

[tielou]

Sorry I forgot to mention the version of the provider. I was using 2.2.4. I will give it a try today with 2.2.7. Thank you very much for your efforts so far.

[tielou]

So that didn't make a difference, it resulted in exactly the same behavior. I noticed I can still open the tab while the scan hasn't been done yet. Once it finishes and I try to open it, I get the unauthorized. If I go into the UI as an admin and save the permission target without changing anything, it works afterwards. I also checked again the effective permissions and there's just this one permission target. Anything else I could try or check?

[chb0github]

I will involve one of our product people and see if he can give some insight. This might be a bug with RT itself or with your installation

[chb0github]

Ok, I have tried it on our public partnership portal:

christianb@unifi terraform-provider-artifactory % curl -snL https://partnership.jfrog.io/artifactory/api/system/version/ | jq -re '.version // .errors'
7.15.3

# Required for Terraform 0.13 and up (https://www.terraform.io/upgrade-guides/0-13.html)
terraform {
  required_providers {
    artifactory = {
      source  = "registry.terraform.io/jfrog/artifactory"
      version = "2.2.7"
    }
  }
}
provider "artifactory" {
  url = "https://partnership.jfrog.io"
  username = "christianb"
  password = "yyyyy"
}

resource "artifactory_user" "test" {
  name     = "permission-test-user"
  email    = "test@user.de"
  password = "xxxxx"
}

resource "artifactory_permission_target" "technical_user" {
  name = "permission-test"

  repo {
    repositories = [artifactory_local_repository.test_repo.key]
    actions {
      users {
        name        = artifactory_user.test.name
        permissions = ["read", "annotate"]
      }
    }
  }
}

resource "artifactory_local_repository" "test_repo" {
  key             = "xray-permissions-test-repo"
  package_type    = "docker"
  repo_layout_ref = "simple-default"
  xray_index      = "true"
}

push hello-world docker image

christianb@unifi terraform-provider-artifactory % docker login partnership-xray-permissions-test-repo.jfrog.io
Username: christianb
Password: 
Login Succeeded
christianb@unifi terraform-provider-artifactory % docker tag hello-world partnership-xray-permissions-test-repo.jfrog.io/hello-world
christianb@unifi terraform-provider-artifactory % docker push partnership-xray-permissions-test-repo.jfrog.io/hello-world
Using default tag: latest
The push refers to repository [partnership-xray-permissions-test-repo.jfrog.io/hello-world]
f22b99068db9: Pushed 
latest: digest: sha256:1b26826f602946860c279fce658f31050cff2c596583af237d971f4629b57792 size: 525

and then, go check:

No issue (for some reason, I am not able to highlight the image as before)

[chb0github]

I really think this is a problem with your RT instance and not terraform. Please open a support ticket with the RT team and if they think it's TF related, then reopen or have them cut a ticket

[tielou]

Alright thank you very much for your help @chb0github