Configure Sonatype Nexus 3 privileges for hosted docker registry namespace using wildcard

851 views
Skip to first unread message

Stanislav Khotinok

unread,
Feb 20, 2017, 8:06:49 AM2/20/17
to Nexus Users

I have installed Sonatype Nexus 3 OSS with Hosted Repository for Docker (Private Registry for Docker). I want to have couple of users, which will be able to pull/push docker images, based on their permissions.

First way, how I can do it - is to create several hosted repositories for docker and then via Securiy -> Privileges use repository-view with such approach configure permissions based on exact repository:

username:   repository name:    permission:

user1       docker-internal-1   nexus:repository-view-:docker:docker-internal-1:read
user2       docker-internal-1   nexus:repository-view-:docker:docker-internal-1:add

user3       docker-internal-2   nexus:repository-view-:docker:docker-internal-2:read
user4       docker-internal-2   nexus:repository-view-:docker:docker-internal-2:add

This approach works, but it requires having multiple hosted repositories for docker.

My question will be - is it somehow possible to have one singe hosted repository for docker and then configure permissions, based on docker repository namespace?

So let's say I have a repository called docker-internal and then I have such permissions:

username:   repository name:    permission:

user1       docker-internal     nexus:repository-view-:docker:docker-internal/namespace1:read
user2       docker-internal     nexus:repository-view-:docker:docker-internal/namespace1:add

user3       docker-internal     nexus:repository-view-:docker:docker-internal/namespace2:read
user4       docker-internal     nexus:repository-view-:docker:docker-internal/namespace2:add

Unfortunately in Nexus 3 documentation I haven't found a way how I can do it with repository-view permissions, cause they only allow you to specify repository name, but no namespace. Then there is such thing as wildcard, which is described in Sonatype docs like "Wildcard -> These are privileges that use patterns to group other privileges." So I've tried to create some regex pattern like this:

nexus:repository-view:docker:docker-internal/namespace1:read

And unfortunately it doesn't work.

Nikola Milutinovic

unread,
Feb 21, 2017, 3:49:44 AM2/21/17
to Nexus Users

Hi Stanisalv.

 

Nexus 2.x had a concept of “Repository targets”, which do exactly what you want.

 

https://books.sonatype.com/nexus-book/reference/repository-targets.html

 

Now, I couldn’t find it in docs of 3.x There is only a faint reference to it in NuGet part of docs, section 8.6

 

https://books.sonatype.com/nexus-book/3.0/reference/nuget.html#nuget-accessing_packages_in_repositories_and_groups

 

Maybe dig through GUI?

 

Nix.

--
You received this message because you are subscribed to the Google Groups "Nexus Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to nexus-users...@glists.sonatype.com.
To post to this group, send email to nexus...@glists.sonatype.com.
To view this discussion on the web visit https://groups.google.com/a/glists.sonatype.com/d/msgid/nexus-users/e02f933f-0f89-46e3-ab7b-4ceffab10f9d%40glists.sonatype.com.
For more options, visit https://groups.google.com/a/glists.sonatype.com/d/optout.

Stanislav Khotinok

unread,
Feb 21, 2017, 4:32:33 AM2/21/17
to Nexus Users, n.milu...@levi9.com
Hi Nikola,

thanks a lot for your reply. Just got an answer from Sonatype, that's currently it's not possible via wildcard for docker namespace. So the only it's to do via multiple hosted docker repositories.

Best,
Stanislav
Reply all
Reply to author
Forward
0 new messages