non-admin token

[TJM]

Is your feature request related to a problem? Please describe.

We have a multi-tenant artifactory, each tenant has their own Vault cluster. We setup the vault-artifactory-secrets-engine, but we have to give it an "admin" token. This would allow anyone to create a role with group=admin and obtain an admin token to artifactory. (their pipelines have administrative access to Vault so that they can setup GKE authentication and policies)

Describe the solution you'd like

I would like to be able to use a token for something less than platform admin. Maybe a project admin token? This may require support form JFAC as well.

Describe alternatives you've considered

• We tried using a "user" level token in MOUNT/config/admin (using a non-admin token)

  • but it is unable to rotate (likely because the rotate is hard-coded to create an admin token)
  • We also could not seem to get it to issue a token (kept getting error 400)... but I think this is resolvable

• Using a separate (shared) vault, but then we need to grant them the ability to link their GKE clusters in... but maybe we could be more restrictive about what they have access to do since it is not "their" vault cluster

• Google Artifact Registry :p

Additional context

What we need is a folder or "namespace" in artifactory. We thought that is what "Projects" provided. WIth the GCP Secrets Engine, we can grant "owner" level access to a specific sub-folder of the organization, they can do whatever they want within that sub-folder (within org policy of course). We would like to figure out a way to provide similar functionality.

We also created a JFrog Support ticket for this - 288012

[alexhung]

likely because the rotate is hard-coded to create an admin token

@TJM I can certainly add rotation to user_token. It's logical next step.

[TJM]

We could, but it also breaks the dynamic usernames. Honestly using a "user" token is a workaround IMO :)

However, its the best I could come up with given the current constraints.

[markszabo]

We run into the same problem at my company and found that the plugin supports using a regular user's token - although then all the new tokens will have the same access as that user has

[Useurmind]

Does the rotation of tokens on non admin users work?
I get error parsing existing access token: token contains an invalid number of segments

If so I would count this issue as done.

Not allowing normal users to create tokens for other users is common sense.

If you need tokens for different usernames you can just mount multiple artifactory plugins on different paths with just one default role, right? I did not try it out, but in principle it should be possible same as with other vault plugins.

Or add the ability to add multiple users to the plugin.