Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Token with "applied-permissions/admin" scope can't be issued #245

Open
5 tasks done
alexvvladimirov opened this issue Feb 4, 2025 · 0 comments
Open
5 tasks done

Token with "applied-permissions/admin" scope can't be issued #245

alexvvladimirov opened this issue Feb 4, 2025 · 0 comments
Assignees
@alexhung
Labels
bug Something isn't working

Comments

@alexvvladimirov
Copy link

Describe the bug
After upgrading Artifactory plugin from 1.8.0 to 1.8.5, I can't issue tokens with applied-permissions/admin scope anymore.

Vault version: 1.18.3+ent
Artifactory plugin version: 1.8.5
Artifactory Cloud 7.105.2 (but I see the same with self-hosted Artifactory instance)

The role:

vault read artifactory/roles/test
Key                        Value
---                        -----
default_ttl                1h
include_reference_token    false
max_ttl                    3h
refreshable                false
role                       test
scope                      applied-permissions/admin
username                   admin

The secret engine version:

vault secrets list -detailed
Path            Plugin          Accessor                 Default TTL    Max TTL    Force No Cache    Replication    Seal Wrap    External Entropy Access    Options           Description                                                UUID                                    Version    Running Version          Running SHA256                                                      Deprecation Status
----            ------          --------                 -----------    -------    --------------    -----------    ---------    -----------------------    -------           -----------                                                ----                                    -------    ---------------          --------------                                                      ------------------
artifactory/    artifactory     artifactory_3a4aeac3     system         system     false             replicated     false        false                      map[]             Artifactory secrets engine                                 f8762b4f-8233-bcbd-67a9-257debbf6937    v1.8.5     v1.8.5                   a32ad9592ebb65cf1d98a1ca59cea3e95d5479a070147cde4b2e0cd8576dcf9e    n/a

The attempt to issue token:

vault read artifactory/token/test
Error reading artifactory/token/test: Error making API request.

Namespace: ns_stargate/ns_dev_devexartifactorysaasaccess/
URL: GET http://127.0.0.1:8200/v1/artifactory/token/test
Code: 500. Errors:

* 1 error occurred:
        * could not create access token:

TRACE logs:

2025-02-04T08:47:43.915Z [DEBUG] secrets.artifactory.artifactory_3a4aeac3.artifactory.artifactory-secrets-plugin-1.8.5: initialize maxLeaseTTL to system value: maxLeaseTTL=86400 func=pathTokenCreatePerform timestamp=2025-02-04T08:47:43.915Z
2025-02-04T08:47:43.915Z [DEBUG] secrets.artifactory.artifactory_3a4aeac3.artifactory.artifactory-secrets-plugin-1.8.5: using role MaxTTL: func=pathTokenCreatePerform role.MaxTTL=10800 timestamp=2025-02-04T08:47:43.915Z
2025-02-04T08:47:43.915Z [DEBUG] secrets.artifactory.artifactory_3a4aeac3.artifactory.artifactory-secrets-plugin-1.8.5: Max lease TTL (sec): func=pathTokenCreatePerform maxLeaseTTL=10800 timestamp=2025-02-04T08:47:43.915Z
2025-02-04T08:47:43.915Z [DEBUG] secrets.artifactory.artifactory_3a4aeac3.artifactory.artifactory-secrets-plugin-1.8.5: using role DefaultTTL: func=pathTokenCreatePerform role.DefaultTTL=3600 timestamp=2025-02-04T08:47:43.915Z
2025-02-04T08:47:43.915Z [DEBUG] secrets.artifactory.artifactory_3a4aeac3.artifactory.artifactory-secrets-plugin-1.8.5: TTL (sec): func=pathTokenCreatePerform ttl=3600 timestamp=2025-02-04T08:47:43.915Z
2025-02-04T08:47:43.915Z [DEBUG] secrets.artifactory.artifactory_3a4aeac3.artifactory.artifactory-secrets-plugin-1.8.5: fetching Artifactory version: func=getVersion timestamp=2025-02-04T08:47:43.915Z
2025-02-04T08:47:43.937Z [DEBUG] secrets.artifactory.artifactory_3a4aeac3.artifactory.artifactory-secrets-plugin-1.8.5: found Artifactory version: func=getVersion version=7.105.2 timestamp=2025-02-04T08:47:43.937Z
2025-02-04T08:47:43.938Z [TRACE] secrets.artifactory.artifactory_3a4aeac3.artifactory.artifactory-secrets-plugin-1.8.5: comparing versions: func=checkVersion v1=7.105.2 v2=7.50.3 timestamp=2025-02-04T08:47:43.937Z
2025-02-04T08:47:43.955Z [ERROR] secrets.artifactory.artifactory_3a4aeac3.artifactory.artifactory-secrets-plugin-1.8.5: got non-200 status code: func=CreateToken message="" statusCode=400 timestamp=2025-02-04T08:47:43.955Z

If I revert plugin to 1.8.0, I can issue token without any problems using the same role:

vault secrets list -detailed
Path            Plugin          Accessor                 Default TTL    Max TTL    Force No Cache    Replication    Seal Wrap    External Entropy Access    Options           Description                                                UUID                                    Version    Running Version          Running SHA256                                                      Deprecation Status
----            ------          --------                 -----------    -------    --------------    -----------    ---------    -----------------------    -------           -----------                                                ----                                    -------    ---------------          --------------                                                      ------------------
artifactory/    artifactory     artifactory_3a4aeac3     system         system     false             replicated     false        false                      map[]             Artifactory secrets engine                                 f8762b4f-8233-bcbd-67a9-257debbf6937    v1.8.0     v1.8.0                   24d704d6ac4d5423593657a4a5c85c8a929c1c441c335b06a867f892566e382e    n/a

vault read artifactory/token/test
Key                Value
---                -----
lease_id           artifactory/token/test/OcJpHknfwevip2Y1mW4zx1In.C81fY
lease_duration     1h
lease_renewable    true
access_token       eyJ2ZXIixxxxxxxxxxxxxxxxx
expires_in         0
reference_token    n/a
refresh_token      n/a
role               test
scope              applied-permissions/admin
token_id           daabfad5-5c18-4faf-8bd1-a520030f9ff2
username           admin

Requirements for and issue

  • A description of the bug
  • A fully functioning vault configuration snippet that can be copy&pasted (no outside files or ENV vars unless that's part of the issue). If this is not supplied, this issue will likely be closed without any effort expended.
  • Your version of artifactory (you can curl it at $host/artifactory/api/system/version
  • Your version of vault
  • Your version of vault plugin

Expected behavior
I expect token issuance with the applied-permissions/admin scope to work in version 1.8.5.
@alexvvladimirov alexvvladimirov added the bug Something isn't working label Feb 4, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@alexhung alexhung

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@alexhung @alexvvladimirov