Home / server / Questions

Questions[artifactory](server)

Martin Hope
Ajax
Asked: 2024-09-26 21:48:17 +0800 CST
  • 6

I have Artifactory 7.84.14 CPP CE instance on our server hosting conan repository. When user token expires (or user is not authenticated), Artifactory returns error code 404 instead of 401/403. Result of this is, that conan returns "Package not found" instead of "Please authorize".

> conan install --remote someremote --requires=somepackage/version@some/repo
> ERROR: Package 'somepackage/version@some/repo' not resolved: Unable to find 'somepackage/version@some/repo' in remotes.

In the artifactory-request.log file is line with 404 code.

anonymous|GET|/api/conan/package/path|404|-1|0|5|Conan/2.7.1 (Windows 11; Python 3.12.3; AMD64)

Now. I found mansion about hideUnauthorizedResources config options (here and here). Problem is, this configuration is already there. Here is config descriptor xml (from AF GUI):

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<config xmlns="http://artifactory.jfrog.org/xsd/3.3.5" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="https://releases.jfrog.io/artifactory/static-release-virtual/xsd/artifactory/artifactory-v3_3_5.xsd">
    ...
    <security>
        <hideUnauthorizedResources>false</hideUnauthorizedResources>
        <passwordSettings>
            <expirationPolicy>
    ...

and here is artifactory.repository.config.latest.json:

{
    "localRepoConfigs":
    [
        {
            "type": "local",
            "key": "somerepo",
            "packageType": "conan",
            "baseConfig":
            {
                "modelVersion": 2,
                "description": "",
                "notes": "",
                "repoLayoutRef": "conan-default",
                "includesPattern": "**/*",
                "excludesPattern": ""
            },
            "repoTypeConfig":
            {
                "archiveBrowsingEnabled": false,
                "blackedOut": false,
                "propertySetRefs":
                [],
                "checksumPolicyType": "client-checksums",
                "priorityResolution": false,
                "maxUniqueSnapshots": 0,
                "handleReleases": true,
                "handleSnapshots": true,
                "snapshotVersionBehavior": "unique"
            },
            "packageTypeConfig":
            {
                "forceConanAuthentication": "false"
            },
            "securityConfig":
            {
                "hideUnauthorizedResources": false,
                "signedUrlTtl": 90
            },
            "repoType": "LOCAL"
        }
    ]
    ...
}

So, my question is, what I'm missing? Why I'm getting 404 instead of 401/403?

artifactory
Martin Hope
rugby82
Asked: 2022-02-17 01:01:00 +0800 CST
  • 0

I need to push some jar files obtained during a Jenkins pipeline, to Jfrog; below the code:

stage ('Artifactory configuration') {
            when { expression { params.runDelivery } }
            steps {
                rtServer (
                    id: "artifactory",
                    url: "https://jfroglocal/artifactory",
                    credentialsId: "jfrog"
                )

                rtMavenDeployer (
                    id: "MAVEN_DEPLOYER",
                    serverId: "artifactory",
                    releaseRepo: "example-repo-local",
                    snapshotRepo: "example-repo-local"
                )
            }
        }

here the error:

[m org.apache.maven.cli.MavenCli -  Skipping deployment of remaining artifacts (if any) and build info. sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target etc

if I run the pipeline directly from the "jenkins slave server" the error disappear after linkng /usr/lib/jvm/java-11-openjdk-amd64/lib/security/cacert to /etc/ssl/certs/java/cacerts

if I run the same pipeline from an docker agent the error persists; below the declared agent:

agent {
        docker {
            label 'Ubuntu-20.04-Slave'
            image 'node:10'
            args '-u root'
        }

    }

how can i link the cacert file (of the jenkins slave) into the container?

there is a way to configure jenkins to share the JVM cacert with the container?

docker jenkins maven artifactory
Martin Hope
tj94
Asked: 2021-10-01 23:07:55 +0800 CST
  • 0

I've configured Apache HTTPD as a reverse proxy (for SSL) for my Artifactory instance, and I'm now trying to get HTTP SSO working on it.

Using the below configuration, I am successfully automatically signed in from my machine. However, when I run Chrome in Incognito mode (to disable Kerberos forwarding), the behaviour becomes undesirable.

What I want to happen is that the user be silently taken to Artifactory's standard login page, at /ui/login. However, what actually happens is that the browser prompts its built-in username and password window.

The other solutions I've seen in my research seem to be based on the Kerberos auth failing, or the user hitting cancel at this window. Instead, what I am trying to cater for is my users browsing to Artifactory from a non-domain-joined machine, which doesn't have a Kerberos ticket. I want these users to be shown the nicer-looking Artifactory standard login page.

# httpd -v
Server version: Apache/2.4.6 (Red Hat Enterprise Linux)
Server built:   Oct  8 2020 21:27:40

    <Location />
        AuthType Kerberos
        AuthName "Intranet"

        KrbMethodNegotiate On
        KrbMethodK5Passwd Off
        KrbAuthRealms DOMAIN.EXAMPLE.ORG
        KrbLocalUserMapping On
        Krb5KeyTab /etc/httpd/artf_ldap.keytab

        Require valid-user

        KrbAuthoritative On

        ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0;url=/ui/login\"></html>"

        RewriteEngine On
        RewriteCond %{REMOTE_USER} (.+)
        RewriteRule . - [E=RU:%1]
        RequestHeader set REMOTE_USER %{RU}e
    </Location>

The ErrorDocument 401 and KrbMethodK5Passwd Off parts were my attempts at solving this myself.

kerberos google-chrome single-sign-on apache-2.4 artifactory
Martin Hope
u123
Asked: 2020-12-06 02:17:55 +0800 CST
  • 0

I want to try out JFrog artifactory OSS using docker compose. I have found:

https://jfrog.com/download-jfrog-platform/

https://api.bintray.com/content/jfrog/artifactory-pro/org/artifactory/pro/docker/jfrog-artifactory-pro/$latest/jfrog-artifactory-pro-$latest-compose.tar.gz;bt_package=jfrog-artifactory-pro

But it seems its only for the PRO/Paid version.

I have found an old/deprecated OSS docker-compose file here:

https://github.com/jfrog/artifactory-docker-examples/blob/master/docker-compose/artifactory/artifactory-oss.yml

Does JFrog no longer support OSS when it comes to docker-compose installations?

docker-compose artifactory
Martin Hope
Pawel Veselov
Asked: 2020-11-21 18:16:00 +0800 CST
  • 2

I'm trying to set up Artifactory (CPP-CE) behind NGINX reverse proxy, with a custom context. I.e. all Artifactory URLs should be behind some top-level context (e.g. /conan). So the UI URL is supposed to be at https://server.com/conan/ui, and repository endpoints behind https://server.com/conan/artifactory.

I can't seem to find a way of telling Artifactory that. The documentation is honestly not particularly helpful.

I've tried setting X-Artifactory-Override-Base-Url to $http_x_forwarded_proto://$host:$server_port/conan/artifactory or $http_x_forwarded_proto://$host:$server_port/conan/, with no effect. The request URL is rewritten to remove /conan part when passing the request to the Artifactory.

Still, attempting to access https://server.com/conan/ui from the browser spits out an HTML with references to /ui/... and accessing https://server.com/conan/artifactory returns a redirect to /ui (completely ignoring any context part that was specified in X-Artifactory-Override-Base-Url)

Is setting it up this way even possible? Do I need to change some configuration inside Artifactory to get this done? I see there is a reverse proxy configuration available through the APIs, but the documentation offers no explanation what does it really do, AFAIU, it just to generate the reverse-proxy block.

The entire NGINX location configuration, for kicks:

        location /conan {
                proxy_read_timeout  2400s;
                proxy_pass_header   Server;
                proxy_cookie_path   /conan/ /;
                rewrite ^/conan/(.*) /$1 break;
                proxy_pass          http://localhost:9082;
                proxy_next_upstream error timeout non_idempotent;
                proxy_next_upstream_tries    1;
                proxy_set_header    X-Artifactory-Override-Base-Url $http_x_forwarded_proto://$host:$server_port/conan/artifactory;
                proxy_set_header    X-Forwarded-Port  $server_port;
                proxy_set_header    X-Forwarded-Proto $http_x_forwarded_proto;
                proxy_set_header    Host              $http_host;
                proxy_set_header    X-Forwarded-For   $proxy_add_x_forwarded_for;
        }
artifactory