Search code examples
pluginspermissionsartifactoryhttp-status-code-403

How to call an JFrog Artifactory user plugin as non-admin user

I'm writing my first Artifactory user plugin which should be callable via REST. Here is a part of the implementation:

executions {

    repoInfo(httpMethod: 'GET') { params ->

    ....

I can call the plugin successfully as the admin user:

$ curl -u admin:XXX -X GET "http://localhost:8080/artifactory/api/plugins/execute/repoInfo"

but when calling it as another user I get http return code 403 in return:

curl -u test-user-1:XXX -X GET "http://localhost:8080/artifactory/api/plugins/execute/repoInfo"{  
    "errors" : [ {
    "status" : 403,
    "message" : "You are not permitted to execute 'repoInfo'."
   } 
   ]
}

My question is what permissions do I need to assign to test-user-1 in order to being able to access my plugin ?

Thanks in advance for your answers.

Solution

  • This is explained somewhat unclearly in the docs:

      /**
   * An execution definition.
   * The first value is a unique name for the execution.
   *
   * ...
   *
   * Plugin info annotation parameters:
   *  ...
   *  users (java.util.Set<java.lang.String>) - Users permitted to query this plugin for information or invoke it.
   *  groups (java.util.Set<java.lang.String>) - Groups permitted to query this plugin for information or invoke it.
   *
   * ...
   */

  myExecution(version:version, description:description, httpMethod: 'GET', users:[], groups:[], params:[:]) { params ->
  }

    There are a number of optional parameters you can pass when creating an execution plugin, two of which are users and groups. If these are omitted or empty, then only admin users can execute plugins. If you want non-admin users to execute a plugin, you need to add usernames to the users list or group names to the groups list. For example:

    executions {
    repoInfo(httpMethod: 'GET', users: ['tom', 'bill'], groups: ['dev-team']) { params ->
        // ...
    }
}

    In this case, the people who can use this plugin are tom, bill, anyone in the dev-team group, and anyone with admin privileges.

    Sometimes it makes sense to make a plugin available for anyone and everyone to use. To do this, you would generally do something like:

    executions {
    publicRepoInfo(httpMethod: 'GET', groups: ['readers']) { params ->
        // ...
    }
}

    Artifactory installs with a pre-existing group called readers, which is automatically added to all new users and gives them basic read access, so all logged-in users should be part of this group. All users that are not logged in are considered to be logged in as the special anonymous user, which is also part of the readers group.