Configure jcenter for only downloading artifacts and Artifactory for deploying artifacts

1
votes

We have Artifactory setup and we use Maven central repo for downloading artifacts, which are then automatically cached in Artifactory. We also upload/deploy our own artifacts in Artifactory.

I now want to replace Maven central repo with jcenter and would like to continue using our Artifactory for uploading/deploying our own artifacts and for also caching the jcenter (and any third-party) artifacts. I can ask all developers to modify their settings.xml file as it will be a one-time activity so that's not a problem.

I saw this link by @helmedeiros which describes making changes in <repositories> and <pluginRepositories> section of settings.xml file. However, those are the sections where i specify URL for our Artifactory server. If i replace my Artifactory URL, then it would mean that i will be able to both fetch and upload artifacts from jcenter which is not what i want.

How can i ensure that all developers are only able to pull (NOT deploy/upload) from jcenter and deploy/upload ONLY to Artifactory?

Here's what we have right now in settings.xml:

<?xml version="1.0" encoding="UTF-8"?>
<settings xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.1.0 http://maven.apache.org/xsd/settings-1.1.0.xsd" xmlns="http://maven.apache.org/SETTINGS/1.1.0"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  <servers>
    <server>
      <username>${security.getCurrentUsername()}</username>
      <password>${security.getEscapedEncryptedPassword()!"*** Insert encrypted password here ***"}</password>
      <id>central</id>
    </server>
    <server>
      <username>${security.getCurrentUsername()}</username>
      <password>${security.getEscapedEncryptedPassword()!"*** Insert encrypted password here ***"}</password>
      <id>snapshots</id>
    </server>
  </servers>
  <profiles>
    <profile>
      <repositories>
        <repository>
          <snapshots>
            <enabled>false</enabled>
          </snapshots>
          <id>central</id>
          <name>libs-release</name>
          <url>https://inhouse-artifactory/artifactory/libs-release</url>
        </repository>
        <repository>
          <snapshots />
          <id>snapshots</id>
          <name>libs-snapshot</name>
          <url>https://inhouse-artifactory/artifactory/libs-snapshot</url>
        </repository>
      </repositories>
      <pluginRepositories>
        <pluginRepository>
          <snapshots>
            <enabled>false</enabled>
          </snapshots>
          <id>central</id>
          <name>plugins-release</name>
          <url>https://inhouse-artifactory/artifactory/plugins-release</url>
        </pluginRepository>
        <pluginRepository>
          <snapshots />
          <id>snapshots</id>
          <name>plugins-snapshot</name>
          <url>https://inhouse-artifactory/artifactory/plugins-snapshot</url>
        </pluginRepository>
      </pluginRepositories>
      <id>artifactory</id>
    </profile>
  </profiles>
  <activeProfiles>
    <activeProfile>artifactory</activeProfile>
  </activeProfiles>
</settings>

I will really appreciate any help in this regard.

1
mavenmaven-3artifactorybintrayjcenter
@JBaruch: Can you kindly help me on this issue? - Technext

1 Answers

0
votes

I have exactly the same question :)

My solution is to create an Artifactory virtual repository (forgerock-third-party-virtual) to cache most of the public artifacts.

This virtual repository includes a remote repository based on jcenter:

enter image description here

On the virtual repository, there is no default deployment repository:

enter image description here

So with this setting, I hope the developers won't be able to push in this virtual repository.

According to the JFrog documentation, you have select one repository in this drop-down to be able to push into a virtual repository.

Regarding the deployment settings, we also have a parent pom where we specified our own repositories in the <distributionManagement> section.

On my build machines, I've added this profile (in .m2/settings.xml) to cache the artifacts:

 <profile>
  <id>force-third-party-repo</id>
  <activation>
    <activeByDefault>true</activeByDefault>
  </activation>
  <repositories>
    <repository>
      <id>forgerock-third-party</id>
      <name>ForgeRock Third Party Repository</name>
      <url>http://maven.forgerock.org/repo/forgerock-third-party-virtual</url>
      <snapshots>
        <enabled>true</enabled>
      </snapshots>
      <releases>
        <enabled>true</enabled>
      </releases>
    </repository>
  </repositories>
   <pluginRepositories>
    <pluginRepository>
      <id>forgerock-third-party</id>
      <name>ForgeRock Third Party Repository</name>
      <url>http://maven.forgerock.org/repo/forgerock-third-party-virtual</url>
      <snapshots>
        <enabled>true</enabled>
      </snapshots>
      <releases>
        <enabled>true</enabled>
      </releases>
    </pluginRepository>
  </pluginRepositories>
</profile>

I have other settings in this file to declare our own Artifactory repositories (for pushing/pulling our own artifacts) + some Maven credentials.

I did some tests with one of our Maven projects and it was working fine.

Once the new .m2/settings.xml will be ready, I'll push a template in an internal Artifactory repository, so the developers will be able to get this template with a curl command.

FYI, this is a POC for the moment. We want to move in production with these settings in a few days.