Access to group repo grants access to all member repos?

l.beuster · August 29, 2022, 5:38pm

I’m migrating from artifactory to nexus and just noticed that a simple read access to a group maven repo grants read access to all repos inside this group - even if the member repos are not accessible for the user. This would make privileges completely useless, so I don’t think this is the desired behavior - but what do I miss?

My test user only got a read-privilege on the group repo but could download artifacts from the hosted member repo.

BTW: In Artifactory these groups work out-of-the-box as I expect…

mpiggott · August 30, 2022, 3:01pm

This is by design, permissions for the group repository grant access for the user to make requests to content the group provides.

Group permissions do not provide access when talking directly to a member repository.

rseddon · August 30, 2022, 7:34pm

You may find this article to be of some help: https://support.sonatype.com/hc/en-us/articles/221279107-How-can-I-create-private-repositories-in-Nexus-Repository-Manager-

It was written for Nexus Repo 2, but the principles are the same for 3.

l.beuster · August 30, 2022, 7:56pm

Thanks for the clarification about group permissions. For me it’s a little bit unusual since this involves somehow group-repos in the permission model. Maybe you could explicitly document this somewhere.

l.beuster · August 30, 2022, 8:08pm

This article a few hours earlier would have saved me some time

But I did it exactly like this: deny company artifacts on the group repo and activate the sub paths for teams. It works, but makes permissions quite complex because the content selectors for read access depend on string patterns. And I had to mix content selectors for read and repo views for write.

Seems to me a little bit complex for a common use case, but it works.

The solution with the different team groups doesn’t work very well if a user is in several groups because there’s no fixed url.