Cannot set 'read-only' status for NXRM

nick.sorokin · August 11, 2021, 10:25am

Hello, Everybody

I have an instance of NXRM OSS version 3.28.1-01 for which I want to set ‘read-only’ status for the purpose of blob storage back-up. I can set this through NXRM web interface (/#admin/system/api) but I would like to do this from command shell. When I try to call API with curl command the following results produced:

Call without user/password:
console output

 sudo curl -w "\n%{http_code}\n" -o nxrm-freeze.resp --dump-header nxrm.hdr -X POST http://nsatlnx01:8381/nx3/service/rest/v1/read-only/freeze" -H "accept: application/json"
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0

403

response headers

HTTP/1.1 403 Forbidden
Date: Wed, 11 Aug 2021 10:04:24 GMT
Server: Nexus/3.28.1-01 (OSS)
X-Content-Type-Options: nosniff
X-Siesta-FaultId: bd35ef94-bb71-4e42-b971-846ce63451e1
Content-Length: 0

NXRM log

2021-08-11 13:04:24,094+0300 WARN  [qtp24045129-179]  *UNKNOWN org.sonatype.nexus.siesta.internal.AuthorizationExceptionMapper - (ID bd35ef94-bb71-4e42-b971-846ce63451e1) Response: [403] (no entity/body); mapped from: org.apache.shiro.authz.AuthorizationException: User is not permitted: nexus:*

Call with user/password
console output

sudo curl -u "ns.admin:\***********" -w "\n%{http_code}\n" -o nxrm-freeze.resp --dump-header nxrm.hdr -X POST "http://nsatlnx01:8381/nx3/service/rest/v1/read-only/freeze" -H "accept: application/json"
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0

401

response headers

HTTP/1.1 401 Unauthorized
Date: Wed, 11 Aug 2021 10:10:11 GMT
Server: Nexus/3.28.1-01 (OSS)
X-Content-Type-Options: nosniff
WWW-Authenticate: BASIC realm="Sonatype Nexus Repository Manager"
Content-Length: 0

NXRM log does not record this attempt, NXRM request log has

192.168.1.204 - - [11/Aug/2021:13:15:49 +0300] "POST /nx3/service/rest/v1/read-only/freeze HTTP/1.1" 401 - 0 100 "curl/7.64.0" [qtp24045129-179]

I will be very grateful for explanation were I’m wrong and any help pointing me to correct solution.

With best regards,
Nick Sorokin

dsawa · August 11, 2021, 11:35am

Hi Nick,
The only thing I can see is it might be that you are passing your credentials in a wrong way. There shouldn’t be need be a need to use backslash after colon unless you’ve got actual doublequote character as part of your password there.

curl -vvv -u'admin:admin123' -X POST "http://localhost:8081/service/rest/v1/read-only/freeze" -H "accept: application/json"
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 8081 (#0)
* Server auth using Basic with user 'admin'
> POST /service/rest/v1/read-only/freeze HTTP/1.1
> Host: localhost:8081
> Authorization: Basic YWRtaW46YWRtaW4xMjM=
> User-Agent: curl/7.64.1
> accept: application/json
> 
< HTTP/1.1 204 No Content
< Date: Wed, 11 Aug 2021 11:29:41 GMT
< Server: Nexus/3.31.0-01 (PRO)
< X-Content-Type-Options: nosniff
< 
* Connection #0 to host localhost left intact
* Closing connection 0

nick.sorokin · August 11, 2021, 11:48am

Hi Dawid,

I have a special character in thepassword, specifically ‘!’ - that’s why I’ve used backslash, otherwise bash shell is screaming
Nick

dsawa · August 11, 2021, 12:17pm

If you replace double quotes (-u "user:!pass") with single quotes (-u 'user:!pass') Bash should be fine with exclamation mark. BTW, you shouldn’t have to use sudo to use cURL - it’s just an unnecessary security risk unless cURL is available only to admins on your system.

nick.sorokin · August 11, 2021, 5:17pm

Hi Dawid,

Thank you very much - single quotes work well.

As to security risks on this instance: I’ve used sudo for cURL trying to troubleshoot the problem. This instance is really personal NXRM server located behind firewall and doesn’t have inbound connections from Internet. Also, nobody exept myself has physical access to this instance. But as general advice on sudo - I’ll keep in mind your suggestion.

Thanks again. With best regards,
Nick