Closed tielou closed 3 years ago
Thanks. I will try to have a look at this today
I am trying to reproduce this at the moment - sorry to take so long
Also, you didn't include what version of the provider you are using and I don't have a copy-and-paste working example. Please supply those
I am unable to reproduce this. I do exactly as stated:
Use the before TF to create the resources:
# Required for Terraform 0.13 and up (https://www.terraform.io/upgrade-guides/0-13.html)
terraform {
required_providers {
artifactory = {
source = "registry.terraform.io/jfrog/artifactory"
version = "2.2.7"
}
}
}
provider "artifactory" {
url = "https://cbongiorno-test-rt.jfrog.tech"
username = "admin"
password = "xxxx"
}
resource "random_password" "password_tu" {
length = 30
special = true
override_special = "_%@"
}
resource "artifactory_user" "test" {
name = "permission-test-user"
email = "test@user.de"
password = random_password.password_tu.result
}
resource "artifactory_permission_target" "technical_user" {
name = "permission-test"
repo {
repositories = [artifactory_local_repository.test_repo.key]
actions {
users {
name = artifactory_user.test.name
permissions = ["read", "annotate"]
}
}
}
}
resource "artifactory_local_repository" "test_repo" {
key = "xray-permissions-test-repo"
package_type = "docker"
repo_layout_ref = "simple-default"
xray_index = "true"
}
push an image to the new repo:
christianb@unifi terraform-provider-artifactory % docker pull hello-world
Using default tag: latest
latest: Pulling from library/hello-world
b8dfde127a29: Pull complete
Digest: sha256:308866a43596e83578c7dfa15e27a73011bdd402185a84c5cd7f32a88b501a24
Status: Downloaded newer image for hello-world:latest
docker.io/library/hello-world:latest
christianb@unifi terraform-provider-artifactory % docker tag hello-world cbongiorno-test-rt.jfrog.tech/xray-permissions-test-repo/hello-world
christianb@unifi terraform-provider-artifactory % docker push cbongiorno-test-rt.jfrog.tech/xray-permissions-test-repo/hello-world
Using default tag: latest
The push refers to repository [cbongiorno-test-rt.jfrog.tech/xray-permissions-test-repo/hello-world]
f22b99068db9: Pushed
latest: digest: sha256:1b26826f602946860c279fce658f31050cff2c596583af237d971f4629b57792 size: 525
And now, login with the test user and go where you say to go:
you can see from the image, I have no issue accessing it.
christianb@unifi terraform-provider-artifactory % curl -snL https://cbongiorno-test-rt.jfrog.tech/artifactory/api/system/version/ | jq -re .version
7.16.3
christianb@unifi terraform-provider-artifactory % terraform -version
Terraform v0.14.7
+ provider registry.terraform.io/hashicorp/random v3.1.0
+ provider registry.terraform.io/jfrog/artifactory v2.2.7
Your version of Terraform is out of date! The latest version
is 0.14.8. You can update by downloading from https://www.terraform.io/downloads.html
Note: I pushed the docker image and ran the terraform script as admin
, but accessed it only with the new user in incognito mode.
Sorry I forgot to mention the version of the provider. I was using 2.2.4. I will give it a try today with 2.2.7. Thank you very much for your efforts so far.
So that didn't make a difference, it resulted in exactly the same behavior. I noticed I can still open the tab while the scan hasn't been done yet. Once it finishes and I try to open it, I get the unauthorized. If I go into the UI as an admin and save the permission target without changing anything, it works afterwards. I also checked again the effective permissions and there's just this one permission target. Anything else I could try or check?
I will involve one of our product people and see if he can give some insight. This might be a bug with RT itself or with your installation
Ok, I have tried it on our public partnership portal:
christianb@unifi terraform-provider-artifactory % curl -snL https://partnership.jfrog.io/artifactory/api/system/version/ | jq -re '.version // .errors'
7.15.3
# Required for Terraform 0.13 and up (https://www.terraform.io/upgrade-guides/0-13.html)
terraform {
required_providers {
artifactory = {
source = "registry.terraform.io/jfrog/artifactory"
version = "2.2.7"
}
}
}
provider "artifactory" {
url = "https://partnership.jfrog.io"
username = "christianb"
password = "yyyyy"
}
resource "artifactory_user" "test" {
name = "permission-test-user"
email = "test@user.de"
password = "xxxxx"
}
resource "artifactory_permission_target" "technical_user" {
name = "permission-test"
repo {
repositories = [artifactory_local_repository.test_repo.key]
actions {
users {
name = artifactory_user.test.name
permissions = ["read", "annotate"]
}
}
}
}
resource "artifactory_local_repository" "test_repo" {
key = "xray-permissions-test-repo"
package_type = "docker"
repo_layout_ref = "simple-default"
xray_index = "true"
}
push hello-world docker image
christianb@unifi terraform-provider-artifactory % docker login partnership-xray-permissions-test-repo.jfrog.io
Username: christianb
Password:
Login Succeeded
christianb@unifi terraform-provider-artifactory % docker tag hello-world partnership-xray-permissions-test-repo.jfrog.io/hello-world
christianb@unifi terraform-provider-artifactory % docker push partnership-xray-permissions-test-repo.jfrog.io/hello-world
Using default tag: latest
The push refers to repository [partnership-xray-permissions-test-repo.jfrog.io/hello-world]
f22b99068db9: Pushed
latest: digest: sha256:1b26826f602946860c279fce658f31050cff2c596583af237d971f4629b57792 size: 525
and then, go check:
No issue (for some reason, I am not able to highlight the image as before)
I really think this is a problem with your RT instance and not terraform. Please open a support ticket with the RT team and if they think it's TF related, then reopen or have them cut a ticket
Alright thank you very much for your help @chb0github
Describe the bug
When creating a permission target through Terraform the affected permissions only get partially applied with respect to X-Ray infos. I created a simple scenario with a Docker repository and a test user which only has
Once I login as an administrator and simply save the created permission again without changing anything, the X-Ray tab is accessible to the test user.
I'm talking about the X-Ray tab under Artifactory -> Artifacts -> xray-permissions-test-repo -> hello-world -> manifest.json.
read
andannotate
permissions on the respective repository. Meanwhile I pushed a hello-world image to this repository with another user. After logging in, the repository and its content are visible to the test user but the X-Ray tab is not.Requirements for and issue
resource "artifactory_user" "test" { name = "permission-test-user" email = "test@user.de" password = random_password.password_tu.result }
resource "artifactory_permission_target" "technical_user" { name = "permission-test"
repo { repositories = [artifactory_local_repository.test_repo.key] actions { users { name = artifactory_user.test.name permissions = ["read", "annotate"] } } } }
resource "artifactory_local_repository" "test_repo" { key = "xray-permissions-test-repo" package_type = "docker" repo_layout_ref = "simple-default" xray_index = "true" }