Credentials-aware Gradle artifact caching


(Etienne Studer) #1

Hello Gradle Team

Is the Gradle repo cache respecting different user credentials, i.e. making sure that if I have a Gradle build and I run the build twice with different Artifactory credentials configured, Gradle will use separate Gradle artifact caches for the two?

The reason I’m asking is that we have different permission sets for different users and I want to be sure that if I run the build with these different users (on the same machine), I don’t see artifacts that are only available because they were previously downloaded using a different user.

Regards, Etienne


#2

In a nutshell, no we are not respecting repository credentials in our dependency cache. We do cache separately per-repository, but at the moment 2 repositories with different credentials but the same artifact patterns are treated as identical for cache purposes.

If 2 different users share the same cache directory (gradle home), then they will also share cache entries from this cache. So if the first user has the correct credentials when running the build, the second user will be able to access the cached jar file for that build, even if the supplied credentials are incorrect.

This behaviour is not great, and something we should probably fix at some stage. Since 2 users don’t normally share a gradle home folder, I don’t imagine this being a common issue.


(Etienne Studer) #3

Hi Daz

Thanks for your explanation.

The reason the current behavior is an issue for us (though not a critical one), is that we often create Artifactory users with different permission sets and before I send the credentials to the appropriate person, I want to check on my machine that they are correct, i.e. sufficient to run a given build. This is currently not possible to do, unless I delete my local Gradle cache first.

Please consider this as a feature request.


#4

This is now GRADLE-2328.

In the meantime, can you check the credentials by running the build with “–refresh-dependencies”? This will attempt to download “*.sha1” files from Artifactory, which should verify the credentials as you require.


(Etienne Studer) #5

Thanks for the JIRA issue, Daz.

We will give “–refresh-dependencies” a try later this week, and will let you know how it goes.