I have installed Sonatype Nexus 3 OSS with Hosted Repository for Docker (Private Registry for Docker). I want to have couple of users, which will be able to pull/push docker images, based on their permissions.
First way, how I can do it - is to create several hosted repositories for docker and then via Securiy -> Privileges use repository-view with such approach configure permissions based on exact repository:
username: repository name: permission:
user1 docker-internal-1 nexus:repository-view-:docker:docker-internal-1:read
user2 docker-internal-1 nexus:repository-view-:docker:docker-internal-1:add
user3 docker-internal-2 nexus:repository-view-:docker:docker-internal-2:read
user4 docker-internal-2 nexus:repository-view-:docker:docker-internal-2:add
This approach works, but it requires having multiple hosted repositories for docker.
My question will be - is it somehow possible to have one singe hosted repository for docker and then configure permissions, based on docker repository namespace?
So let's say I have a repository called docker-internal and then I have such permissions:
username: repository name: permission:
user1 docker-internal nexus:repository-view-:docker:docker-internal/namespace1:read
user2 docker-internal nexus:repository-view-:docker:docker-internal/namespace1:add
user3 docker-internal nexus:repository-view-:docker:docker-internal/namespace2:read
user4 docker-internal nexus:repository-view-:docker:docker-internal/namespace2:add
Unfortunately in Nexus 3 documentation I haven't found a way how I can do it with repository-view permissions, cause they only allow you to specify repository name, but no namespace. Then there is such thing as wildcard, which is described in Sonatype docs like "Wildcard -> These are privileges that use patterns to group other privileges." So I've tried to create some regex pattern like this:
nexus:repository-view:docker:docker-internal/namespace1:read
And unfortunately it doesn't work.
To create a new role, click the Create Role button, select Nexus Role and fill out the Role Create feature When creating a new role, you will need to supply a Role ID, and a name and optionally a Description. Roles are comprised of either roles and individual privileges.
Installing Nexus Repository Manager using Helm ChartUsing this configuration, we can deploy the helm chart for nexus repository manager oss to work as an private docker registry. Once Installed Successfully, this is what the home page will look like: Nexus has a few repositories by default.
Nexus Repository supports Docker images and Helm 3 repositories with Proxy, Hosted, and Group repositories, allowing users advanced container management capabilities across development teams.
We find a way to combine content-selectors and permission to support image level permissions.
First you have to create two content selectors:
format=="docker" and path=~"/v2/"
. If you are support v1 protocol too, make sure to create another selector for it.format=="docker" and path=~".*/foo/bar-linux/.*"
The first selector is very important, as without it you are not able to create a rule that allow your users to login.
Then create two privileges based on content-selectors:
Then create a role with only the two privileges, and associate it to the users. It should work.
Please be aware of unexpected behaviours when using some commands: https://issues.sonatype.org/browse/NEXUS-12220
Based on answer from Sonatype Nexus support currently it's not possible to do it via wildcard and namespace in docker registry. So the only working way is to use separate docker repositories and repository-view permissions.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With