Federation Permissions

Identify the roles and internal scopes required for Federation operations.

This reference describes user-facing permissions and internal scopes used by Federation operations.

User-Facing Permissions

Platform Administrator

All Federation management operations require Admin role.

OperationRequired role
Create Federated repositoryAdmin
Edit Federated repositoryAdmin
Delete Federated repositoryAdmin
Add/remove membersAdmin
Trigger Full SyncAdmin
Set priorityAdmin
Push configurationAdmin
View Federation statusAdmin

Platform User

Developers and build engineers use this role for artifact operations.

OperationRequired permission
Browse artifactsREAD
Deploy artifactsDEPLOY
Resolve artifactsREAD
Use Set Me Up (resolve snippets)READ
Use Set Me Up (deploy snippets)DEPLOY

Internal Scopes

Federation operations use these scopes for service-to-service authentication.

ScopePurpose
INTERNAL_SCOPE_VALIDATE_MIRRORValidate remote mirror accessibility and configuration
INTERNAL_SCOPE_FULL_SYNCAuthorize Full Sync operations
INTERNAL_SCOPE_RTFSGeneral RTFS service operations
INTERNAL_SCOPE_CONFIG_SYNCSynchronize configuration across members
INTERNAL_SCOPE_METADATAQuery and propagate metadata information
INTERNAL_SCOPE_CONNECTION_STATESQuery Federation connection state information

When federated.exchange.token.limit.scope.enabled is true (default), token exchanges are restricted to required scopes.

Token Exchange Flow

Federation members authenticate with each other using a token exchange mechanism:

  1. Master token setup: During platform setup, each JPD is provisioned with a master token that establishes the circle of trust between JPDs.
  2. Token exchange: When RTFS needs to communicate with a remote member, it exchanges the master token for a scoped access token via POST /rtfs/v1/service_trust/exchange. See the REST API Reference Index for related authentication endpoints. The exchanged token is limited to the specific scopes required for the operation (for example, INTERNAL_SCOPE_FULL_SYNC for Full Sync operations).
  3. Scope limiting: When federated.exchange.token.limit.scope.enabled is true (default), token exchanges are restricted to only the required scopes for each operation, following the principle of least privilege.
  4. Automatic refresh: The token refresh job (federated.master.tokens.refresh.job.cron, default: 0 0 * * * ? *) runs hourly to refresh tokens before they expire. The job refreshes tokens federated.master.tokens.refresh.grace.days (default: 7) days before expiry.
  5. Expiry margin: An additional margin (federated.auth.token.expiry.margin.sec, default: 900 seconds, or 15 minutes) ensures tokens are not used when they are about to expire.

Token Exchange Properties

The following properties configure the token exchange flow.

PropertyDefaultDescription
federated.exchange.token.limit.scope.enabledtrueRestrict token exchanges to required scopes only.
federated.exchange.token.expiration.time.hours3600 (1 hour, stored in seconds)Duration before exchanged tokens expire. Despite the property name, the value is in seconds.
federated.master.tokens.refresh.job.cron0 0 * * * ? *Cron for the token refresh job (hourly).
federated.master.tokens.refresh.grace.days7Days before expiry to start refreshing tokens.
federated.auth.token.expiry.margin.sec900Margin in seconds before token expiry to consider the token invalid.

For example, in artifactory.system.properties:

federated.auth.token.expiry.margin.sec=900

Related Topics


Did this page help you?