Skip to content

Allow Anonymous Downloads Using jf rt dl for Public Artifacts #3569

Description

@Vamsheeth

Is your feature request related to a problem? Please describe.

Organizations often expose selected Artifactory repositories or artifacts for anonymous/public download. While these artifacts are accessible through their direct repository URLs, JFrog CLI's jf rt dl command cannot download them anonymously because it performs an AQL query before initiating the download.

For example, the following command fails when attempting to download a publicly accessible artifact from a repository with anonymous access enabled:

jf rt dl --url=https://<artifactory-url>/artifactory "<repository>/<path>/<artifact>"

Error:
403 Only non-anonymous users are allowed to access AQL queries

However, the same artifact can be downloaded successfully using its direct URL:

curl -O https://<artifactory-url>/artifactory/<repository>/<path>/<artifact>

This indicates that:

  • The artifact is publicly accessible.
  • Anonymous download permissions are configured correctly.
  • The failure occurs because JFrog CLI requires an AQL query before downloading the artifact.

As a result, users cannot leverage JFrog CLI for anonymous downloads even when the artifact itself is publicly available.

Describe the solution you'd like to see

Allow jf rt dl to download a known artifact path from a public repository without requiring AQL authentication.

Possible implementations:

When the download target is a fully qualified artifact path, bypass AQL and perform a direct download request.
Introduce an option such as:

jf rt dl --url=https://<artifactory-url>/artifactory --direct-download "<repository>/<path>/<artifact>"

Automatically fall back to a direct artifact download when AQL fails due to anonymous-access restrictions and the target path is explicitly specified.

This would allow users to benefit from JFrog CLI features while supporting repositories intentionally exposed for anonymous consumption.

Describe alternatives you've considered

  • Configuring JFrog CLI with credentials (jf c add).
  • Passing a username/password or access token with every invocation.
  • Using a dedicated read-only service account.
  • Downloading artifacts directly using curl or wget.

While these alternatives work, they either require credential management or bypass JFrog CLI completely. Since direct downloads already succeed anonymously, it would be beneficial if JFrog CLI could support the same use case natively.

Additional context

Environment
JFrog CLI Version: 2.109.0
Artifactory anonymous access: Enabled
Repository: Publicly accessible
Artifact path: Fully known
Reproduction

jf rt dl --url=https://<artifactory-url>/artifactory "<repository>/<path>/<artifact>"

Result:

403 Only non-anonymous users are allowed to access AQL queries

At the same time:

curl -O https://<artifactory-url>/artifactory/<repository>/<path>/<artifact>

downloads the artifact successfully.

The repository is intentionally configured for anonymous access, but JFrog CLI cannot consume it because it depends on AQL before downloading. Supporting direct downloads for explicitly specified artifact paths would close this gap, improve the user experience for public repository consumers, and allow JFrog CLI to be used consistently across both authenticated and anonymous download scenarios.

We also evaluated jf rt curl as a CLI-based alternative. However, jf rt curl only supports Artifactory REST API endpoints and does not accept direct artifact URLs, so it cannot be used to anonymously download public artifacts from repository paths.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions