Allow all projects in an organization to consume organization-scoped feed

0
votes

In our AzDO organization, we have an organization-scoped feed, that was created to be usde by all projects. But for every new project we create, we have to go to its "Artifacts" page, open Settings / Permissions for that feed and in the dot-menu click "Allow project-scoped builds". Otherwise maven gives us an exception like this:

[ERROR] Failed to execute goal on project PROJECT: Could not resolve dependencies for project GROUP:ARTIFACT:VERSION: Failed to collect dependencies at GROUP:ARTIFACT:VERSION: Failed to read artifact descriptor for GROUP:ARTIFACT:VERSION: Could not transfer artifact GROUP:ARTIFACT:VERSION from/to MY-FEED (https://ORGANIZATION.pkgs.visualstudio.com/_packaging/repo/maven/v1): Authorization failed for https://ORGANIZATION.pkgs.visualstudio.com/_packaging/repo/maven/v1/GROUP/ARTIFACT/VERSION/....pom 403 Forbidden - User 'GUID' lacks permission to complete this action. You need to have 'ReadPackages'. (DevOps Activity ID: GUID2) -> [Help 1]

Can't we set it up so that all projects - past, present and future - will have access to the feed?

1
mavenazure-devops
Strongly recommend to use a repository manager makes it easier...khmarbaise
@khmarbaise You mean I should not use Azure DevOps feed? If so, why?Evgeniy Berezovsky
The usual way: You run a Nexus or Artifactory in your company which handles all the Java artifacts, as khmarbaise said. They are made for usage with Maven.J Fabian Meier
@JFabianMeier Well, AzDO's feeds are also made for usage with Maven (and Nuget, and...), and in fact they do work. Has anyone of you complainants actually tried to use it? The only problem I have is this per-project permissioning. Nothing that shouldn't be fixable.Evgeniy Berezovsky
I am not saying that your solution will not work. I just wanted to point out that the vast majority of organisations which use Maven uses either Nexus or Artifactory.J Fabian Meier

1 Answers

0
votes

The Organization Scope feed can be used for the entire organization.

But in Project Settings -> Settings , there is an option: "Limit job authorization scope to current project for non-release pipelines".

When this option is enable , the authorization scope is limited to the Project level. This option is enable by default for projects.

enter image description here

It could be the root cause of the 403 error.

Since this option is enabled by default in new projects, you need to manually disable this option to use the organization scope feed.

Based on the time being, there seems to be no way to automatically turn off this option in new projects.

The steps to disable this option:

  1. Disable the option in Organizaiton Settings -> Settings.

  2. Disable the option in Target Project.

By the way, in Organization scope feed, you also need to make sure that the role Project Collection Build Service(Organizaiton name) has permission. This role has the Contributor permission by default.

enter image description here