Generate a detailed permission trace for any Nexus user

Overview

Nexus 2.7+ provides a REST resource that can be used to identify all the permissions granted to a Nexus user.

The information exposed by a permission trace applies when a user receives an Authorization failure 403 response from Nexus. An Authentication failure 401 response does not apply to a permission trace because it indicates the credentials cannot be authenticated by any active Security Realm and the authorization has not even started yet.

This information in a permission trace is similar to what is exposed in Security -> Users -> Privilege Trace tab in the Users UI, with the added feature of exposing the permission String used when determining access to resources at runtime.

Used together with logging messages which describe what permissions are required to access a particular resource, an Administrator can gain a better understanding of how to adjust user permissions to control access to Nexus resources.

Trace Example

Consider we have a username jane who has requests failing with 403 response. You are the Nexus Administrator using your default credentials of username admin.

To get a trace of permissions for the jane user:

> curl -v http://localhost:8081/nexus/service/siesta/atlas/security-diagnostic/user/jane -u admin
Enter host password for user 'admin':
* Hostname was NOT found in DNS cache
*   Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 8081 (#0)
* Server auth using Basic with user 'admin'
> GET /nexus/service/siesta/atlas/security-diagnostic/user/jane HTTP/1.1
> Authorization: Basic YWRtaW46YWRtaW4xMjM=
> User-Agent: curl/7.39.0
> Host: localhost:8081
> Accept: */*
> 
< HTTP/1.1 200 OK
< Date: Thu, 22 Jan 2015 16:49:41 GMT
< Server: Nexus/2.11.1-01
< X-Frame-Options: SAMEORIGIN
< X-Content-Type-Options: nosniff
< Set-Cookie: rememberMe=deleteMe; Path=/nexus; Max-Age=0; Expires=Wed, 21-Jan-2015 16:49:41 GMT
< Content-Type: application/json
< Transfer-Encoding: chunked
<
{
  "user" : {
    "userId" : "jane",
    "status" : "active",
    "firstName" : "jane",
    "lastName" : "jane",
    "emailAddress" : "jane@example.com",
    "readOnly" : false,
    "source" : "default",
    "name" : "jane jane",
    "roles" : {
      "metrics-endpoints" : {
        "description" : "Allows access to metrics endpoints.",
        "readOnly" : true,
        "source" : "default",
        "name" : "Metrics Endpoints",
        "privileges" : {
          "metrics-endpoints" : {
            "type" : "method",
            "properties" : {
              "method" : "*",
              "permission" : "nexus:metrics-endpoints"
            },
            "description" : "Allows access to metrics endpoints.",
            "readOnly" : true,
            "name" : "Metrics Endpoints"
          }
        }
      },
      "any-all-view" : {
        "description" : "Gives access to view ALL  Repositories in Nexus.",
        "readOnly" : true,
        "source" : "default",
        "name" : "Repo: All  Repositories (View)"
      }
    }
  }
}
Have more questions? Submit a request

0 Comments

Article is closed for comments.
Powered by Zendesk