Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Configure Sonatype Nexus 3 privileges for hosted docker registry namespace using wildcard

I have installed Sonatype Nexus 3 OSS with Hosted Repository for Docker (Private Registry for Docker). I want to have couple of users, which will be able to pull/push docker images, based on their permissions.

First way, how I can do it - is to create several hosted repositories for docker and then via Securiy -> Privileges use repository-view with such approach configure permissions based on exact repository:

username:   repository name:    permission:

user1       docker-internal-1   nexus:repository-view-:docker:docker-internal-1:read
user2       docker-internal-1   nexus:repository-view-:docker:docker-internal-1:add

user3       docker-internal-2   nexus:repository-view-:docker:docker-internal-2:read
user4       docker-internal-2   nexus:repository-view-:docker:docker-internal-2:add

This approach works, but it requires having multiple hosted repositories for docker.

My question will be - is it somehow possible to have one singe hosted repository for docker and then configure permissions, based on docker repository namespace?

So let's say I have a repository called docker-internal and then I have such permissions:

username:   repository name:    permission:

user1       docker-internal     nexus:repository-view-:docker:docker-internal/namespace1:read
user2       docker-internal     nexus:repository-view-:docker:docker-internal/namespace1:add

user3       docker-internal     nexus:repository-view-:docker:docker-internal/namespace2:read
user4       docker-internal     nexus:repository-view-:docker:docker-internal/namespace2:add

Unfortunately in Nexus 3 documentation I haven't found a way how I can do it with repository-view permissions, cause they only allow you to specify repository name, but no namespace. Then there is such thing as wildcard, which is described in Sonatype docs like "Wildcard -> These are privileges that use patterns to group other privileges." So I've tried to create some regex pattern like this:

nexus:repository-view:docker:docker-internal/namespace1:read

And unfortunately it doesn't work.

like image 506
stolho Avatar asked Feb 20 '17 12:02

stolho


People also ask

How do I add privileges to my Nexus?

To create a new role, click the Create Role button, select Nexus Role and fill out the Role Create feature When creating a new role, you will need to supply a Role ID, and a name and optionally a Description. Roles are comprised of either roles and individual privileges.

Can we use Nexus as Docker registry?

Installing Nexus Repository Manager using Helm ChartUsing this configuration, we can deploy the helm chart for nexus repository manager oss to work as an private docker registry. Once Installed Successfully, this is what the home page will look like: Nexus has a few repositories by default.

Can Nexus hold Docker images?

Nexus Repository supports Docker images and Helm 3 repositories with Proxy, Hosted, and Group repositories, allowing users advanced container management capabilities across development teams.


2 Answers

We find a way to combine content-selectors and permission to support image level permissions.

First you have to create two content selectors:

  1. "docker-login-all" with the expression format=="docker" and path=~"/v2/". If you are support v1 protocol too, make sure to create another selector for it.
  2. "docker-foo-selector" with an expression matching the image you want to grant access. For example to select all the releases of foo/bar-linux, the expression is format=="docker" and path=~".*/foo/bar-linux/.*"

The first selector is very important, as without it you are not able to create a rule that allow your users to login.

Then create two privileges based on content-selectors:

  1. "docker-login-all-privilege" based on "Docker-login-all" applied on all the docker registries, with read grants. This will grant the ability to login via docker cli.
  2. "docker-foo-privilege" based on "docker-foo-selector" applied on all the docker registries, with read grants. This will allow your users to pull only foo/bar-linux images.

Then create a role with only the two privileges, and associate it to the users. It should work.

Please be aware of unexpected behaviours when using some commands: https://issues.sonatype.org/browse/NEXUS-12220

like image 135
Ameba Spugnosa Avatar answered Sep 28 '22 08:09

Ameba Spugnosa


Based on answer from Sonatype Nexus support currently it's not possible to do it via wildcard and namespace in docker registry. So the only working way is to use separate docker repositories and repository-view permissions.

like image 26
stolho Avatar answered Sep 28 '22 09:09

stolho