Jfrog Artifactory repository creation and permission automation
Question
We are using Jfrog Artifactory and looking for a way to automate the Repo, Group and permission creation for a list of items as part of a Azuredevops pipeline.
For example, I want to create a virtual Repo called "myproject-mvn-repo" with all its subcomponents as below.
- create a virtual repository: myproject-mvn-repo
- link existing or create remote repo for maven (if not existing): myproject-mvn-remote-repo
- Create 2 local repos if not existing:- myproject-mvn-release-local-repo - myproject-mvn-snapshot-local-repo
- Create a security group for the Repos: - myproject-sg
- Create 2 type permission for the Repos and related builds: myproject- developers (read write) myproject-contributors (read/write/manage)
- Add users to the group subsequently
I tried to follow the Jfrog document , but couldn't loop through for a number of items and would need to make it as idempotent(shouldn't create/modify any repo or component if already present)
1 answers
solution1
1 2023-01-16 14:34:04
Let's split it into 2 parts - managing repositories, and managing permissions.
Repositories
In order to create / update / delete multiple repositories in a single request you can use the Artifactory YAML Configuration .
For example (simplified):
PATCH /artifactory/api/system/configuration
Content-Type: application/yaml
localRepositories:
myproject-mvn-release-local-repo:
type: maven
...
myproject-mvn-snapshot-local-repo:
type: maven
...
remoteRepositories:
myproject-mvn-remote-repo:
type: maven
url: ...
...
virtualRepositories:
myproject-mvn-repo:
type: maven
repositories:
- myproject-mvn-release-local-repo
- myproject-mvn-snapshot-local-repo
- myproject-mvn-remote-repo
...
Note - this is a PATCH request, which means that if a repository already exists it will not fail the request, but it will update its configuration based on the settings in this request.
Permissions
For managing permissions there are also two options - using projects (preferred), or using groups and permission targets.
Using Projects
From the documentation :
JFrog Projects is a management entity for hosting your resources (repositories, builds, Release Bundles, and Pipelines), and for associating users/groups as members with specific entitlements. As such, using projects helps Platform Admins to offload part of their day-to-day management effort and to generate a better separation between the customer products to improve customer visibility on efficiency, scale, cost, and security. Projects simplifies the onboarding process for new users, creates better visibility for LOBs and project stakeholders.
You can create projects, assign roles to users and groups in projects, assign repositories to projects, and more. Projects can be managed using REST API , specifically (but not limited to):
- Add a New Project - to create a new project
- Update User in Project - add a user as a member of the project with given roles
- Update Group in Project - add a group as a member of the project with given roles
- Move Repository in a Project - to assign a repository to a project
Using Groups and Permission Targets
Manage groups using REST API . First try to create a group . If a group already exists it will return a 409 Conflict , then use update group instead, or just add / remove members to the group .
For example - create group myproject-developers with alice and bob as members (simplified):
POST /access/api/v2/groups
Content-Type: application/json
{
"name": "myproject-developers",
"description": "My project developers",
"members": ["alice", "bob"],
...
}
Manage permissions - use REST API to create / replace permission targets , aggregating the repositories and granting each group its relevant permissions on those repositories.
For example (simplified):
PUT /artifactory/api/security/permissions/myproject-permissions
Content-Type: application/json
{
"name": "myproject-developers",
"repositories": [
"myproject-mvn-release-local-repo",
"myproject-mvn-snapshot-local-repo",
"myproject-mvn-remote-repo"
],
"principals": {
"groups" : {
"myproject-developers" : ["r","w"],
"myproject-contributors" : ["r","w","m"]
}
},
...
}
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.