Disallow re-deploy to release repository

2
votes

CI system: Jenkins with Jenkins Artifactory plugins, using Pipeline jobs
Language: Java, built with Maven

We have a setup where "release-versions" are supposed to be uploaded to a staging repository, and should be able to be overwritten from consecutive Jenkins builds (for example because of bugfixes in a release/x.x.x branch).
Release versions should not be allowed to be uploaded directly into a release repository, but should be allowed to be promoted into them. They should of course not be allowed to be overwritten from neither a promotion or a direct upload.

In our current setup we have successfully allowed redeploys to staging, and disallowed "re-promotions" to releases. But release artifacts can still be redeployed into a release repository.

Effective permissions for the Jenkins user:

  • Release repository
    • Delete/Overwrite: false
    • Deploy/Cache: true
    • Annotate: true
    • Read: true
  • Staging
    • Delete/Overwrite: true
    • Deploy/Cache: true
    • Annotate: true
    • Read: true

So, is there a way to:

  1. Disallow deploys (and re-deploys) to the release repository
  2. Allow one promotion per version to the release repository
  3. Disallow "re-promotions" to the release repository
  4. Allow deploys (and re-deploys) to the staging repository

Preferably only using the Artifactory permission settings.

1
jenkinsartifactory
You are aware of that from Maven's point of view overwriting, i.e. re-deplyoing, "release-versions" (with the same release version number) with different content is against Maven's philosophy, are you? That's what snaphot versions are for. Even if it is just a staging repository to you. Maven doesn't know anything about staging repositories. It just knows snapshots and releases. - Gerold Broser

1 Answers

5
votes

It seems that you are on the right track. As you mentioned, you can "block" the re-deploy (overwrite) by revoking the "delete / overwrite" permissions. for a specific user, or for all of the users in your case. To answer your specific use-case what you will need to do is:

  1. Disallow deploys (and re-deploys) to the release repository

[A1]Create a user for promotion, which will have deploy permissions to the release repository. Other than this user no other user should have deploy permissions to that repository. It should also have read permissions on the staging repository. Please note that Admin users will still have all of the permissions to all of the repositories, but I believe that this should not have any issue.

  1. Allow one promotion per version to the release repository

[A2] Do not give the promotion user (see A1) delete permissions on the release repository. So in a case of an overwrite is being attempted you will receive an error message:

"message" : "Not enough permissions to overwrite artifact 'repoX:path/to/file' (user 'YYY' needs DELETE permission)."

  1. Disallow "re-promotions" to the release repository

[A3] See A2

  1. Allow deploys (and re-deploys) to the staging repository

[A4] Give the Jenkins user delete permissions on the staging repository.

That should do the trick using the Artifactory permission targets.