Proxy Repository and use Content Selectors?

[KimJohn Quinn]

In Nexus3, can I proxy a repository but filter what can be viewed vs. read on the receiving side?  We have a content selector and view that works on our Nexus when I login but on the client nexus it shows all the artifacts.

We have a repository that we want to mirror but, only expose some of the modules for browsing.  Other modules "could" be read but not viewed in the UX tree.

Thanks.

KJQ

[KimJohn Quinn]

I believe what I am looking for is an equivalent of "routing?"  I have free reign on our Nexus but not the target that proxies us...

[Peter Lynch]

On Wed, Jul 18, 2018 at 6:40 PM KimJohn Quinn <k...@logicdrop.com> wrote:

I believe what I am looking for is an equivalent of "routing?"  I have free reign on our Nexus but not the target that proxies us...

On Wednesday, July 18, 2018 at 5:07:18 PM UTC-4, KimJohn Quinn wrote:

In Nexus3, can I proxy a repository but filter what can be viewed vs. read on the receiving side?  We have a content selector and view that works on our Nexus when I login but on the client nexus it shows all the artifacts.

 

Shows where? The client Nexus is either proxying with a user/pass or as the anonymous user. In either case it should only be able to download what the permissions allow.

There is a use case for routing ( https://issues.sonatype.org/browse/NEXUS-17281 ) but it doesn't sound like what you need yet.

 

We have a repository that we want to mirror but, only expose some of the modules for browsing.  Other modules "could" be read but not viewed in the UX tree.

Thanks.

KJQ

--
You received this message because you are subscribed to the Google Groups "Nexus Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to nexus-users...@glists.sonatype.com.
To post to this group, send email to nexus...@glists.sonatype.com.
To view this discussion on the web visit https://groups.google.com/a/glists.sonatype.com/d/msgid/nexus-users/7ed9918c-388f-47e5-ad3f-6f7d9dca878f%40glists.sonatype.com.
For more options, visit https://groups.google.com/a/glists.sonatype.com/d/optout.

[Christian Sandrini]

I would be interested in that solution as well. Just as an example

- Create a proxy repository that connects to Dockerhub

- Only allow certain images / projects to be pulled through the proxy. i.e sonatype/nexus

best

Chris

[ds...@sonatype.com]

Something like this, maybe? https://stackoverflow.com/questions/51166194/controlling-access-to-docker-registry-with-sonatype-nexus/51249165#51249165

[Rich Seddon]

Docker images are stored like this in Nexus:

The blobs are docker layers, and they can (and often are) shared between multiple docker images.  This sharing of layers is the reason why docker is an efficient format for storing VM's.  The upshot of this is that you can't restrict access to layers.   So you'll need to create a content selector privilege that allows access to all layers.  Additionally, you need to allow access to "/v2/" for docker login, and "/v1/search" for search".  And finally, for anonymous access to work you'll need to allow access to the bearer token resource.  The simplest way to accomplish all of this is to allow access to everything except for the /v2/library paths where the manifests and tags are stored:

path =~ "(?!/v2/library/).*"

The above is a negated regular expression match, so it will match anything that doesn't start with /v2/library/.

After this, you can selectively allow access to manifests and tags by using content selectors like this:

path =^ "/v2/library/some-docker-image/"

[Christian Sandrini]

Hi Rich

Thanks for your answer. I am still unsure how to define the content selector if for example I would like to allow only containers being pulled from the microsoft repository

https://hub.docker.com/u/microsoft/

format == "docker" && 

path =~ "(?!/v2/library/).*" && 

path =~ "v2/microsoft/.*" 

best

Chris

On Wednesday, July 18, 2018 at 11:07:18 PM UTC+2, KimJohn Quinn wrote:

[Rich Seddon]

Try altering the last expression:

path =~ "/v2/library/microsoft/.*"

And be sure you're on a recent Nexus Repo 3 version, there were some fixes in this area not too long ago.