Nexus Repository Manager 2.x Security Cookbook

This article describes how to setup some commonly requested Nexus security configurations.


Can I make a repository private without disabling anonymous access?

Yes. You will need to change the roles around a bit.

Note: Assigning access to a group is equivalent to assigning these privileges to all of the repositories in the group.

  1. Create a new Privilege that gives access to your public group (or individual repositories)

    1. Login to nexus as an administrator.
    2. Click on Privileges in the left menu.
    3. Click Add.
    4. Use the following values:
      • Name: M2 Public Repositories (Group)
      • Description: Access to Public Repositories (Group)
      • Repository: Public Repositories (Group)
      • Repository Target: All (Maven2)
    5. Repeat the previous step for all you public groups and/or respositories.
    6. Save.
  2. Create a new Role and assign this new privilege to it.

    1. Click on Roles in the left menu.
    2. Click Add.
    3. User the following values:
      • Role Id: repo-public-read
      • Name: Repo: All Public Repositories (read)
      • Description: Read only access to all public repositories.
      • Selected Roles / Privileges: M2 Public Repositories (Group) - (read)
    4. Include all of the group/repo privd you created in the first step.
    5. Save.
  3. Remove the Grant Read all role from the Anonymous user and add the new role.

    1. Click on Users in the left menu.
    2. Click on the anonymous user.
    3. Remove the role ‘Repo: All Repositories (read)’
    4. Add the role ‘All Public Repositories (read)’
    5. You may need to create other Privileges to grant users access to your private repositories
    6. Save.

How do I disable artifact redeployment against a hosted repo.

Important: The steps below are valid, but all current versions of Nexus have a "deployment policy" setting in hosted repository configuration. Setting this to "disable redeploy" will accomplish the same thing as the steps below and is the preferred approach.

  1. Create a new deployment role that does not have update privilege but has a privilege to update Metadata.

    1. Create a new Privilege that gives access Maven 2 Metadata
    2. Login to nexus as an administrator.
    3. Click on Privileges in the left menu.
    4. Click Add. Use the following values:
      • Name: All M2 Repositories Metadata
      • Description: All M2 Repositories Metadata
      • Repository: All Repositories
      • Repository Target: All Metadata (Maven2)
    5. Save.
  2. Create a new Deployment Role.

    1. Click on Roles in the left menu.
    2. Click Add.
    3. User the following values:
    4. Role Id: repo-custom-deploy
    5. Name: Repo: All Repositories (no update)
    6. Description: Allows deployment to all M2 Repositores, but does not allow overwriting artifacts.
    7. Selected Roles / Privileges: All Metadata (Maven2) - (update), Nexus Anonymous Role, All M2 Repositories - (create), All M2 Repositories - (read), All M2 Repositories - (delete). Adding delete is optional.
    8. Save.
  3. Replace the roles assigned to the deployment user.

    1. Click on Users in the left menu.
    2. Click on the deployment user.
    3. Remove the roles ‘Repo: All Repositories (Full Control)’ and ‘Nexus Deployment Role’
    4. Add the role ‘Repo: All Repositories (no update)’
    5. Save.
Have more questions? Submit a request

2 Comments

  • 0
    Avatar
    Marco Wlotzka

    Hi Peter, thanks for your cookbook.

    I would have expected that the read permission would also control the view permission of the repo/group in the web UI but that's an extra permission called "Public Repositories (view)".

    And I would have thought that "Public Repositories (view)" would be enough to see all the repos in the Web UI belonging to that group, similar as you say for the "M2 Public Repositories (read)" permission:

    "Note: Assigning access to a group is equivalent to assigning these privileges to all of the repositories in the group."

    But I only see the group not the belonging repos and therefore have to add the view permission of every single repository to the repo-public-read role to make them available thru UI <= Is there a more elegant way?

    Maybe it's not necessary as long as all artifacts are available via the group but It would be nice when all the repos belonging to the group are shown without the extra task of adding the view permission to the role.

    Regards

    Marco

    UPDATE:Ok. makes sense to me now. View permission for the group does not include the view permission for repos belonging to that group. Got it :)

    Edited by Marco Wlotzka
  • 0
    Avatar
    Peter Lynch

    We are closing this article for comments.

    If you have a support license, please contact us by submitting a support ticket.

    If you do not have a support license, please use our Nexus Users List or our other free support resources.

Article is closed for comments.
Powered by Zendesk