Docker-repository permission


#1

Hello good people!

Need some help in configuring private docker repository.

So situation is:
Repository is set up and working good. But I need to split permission a bit.
For example one team have some images that they don’t won’t to be accessible by others.
Is there any way with nexus mechanism to do that? I was thinking of content selectors but not sure how to properly configure them… In my case it is not an option to set up more private registries (we have many teams and it makes no sense for our company to set up private registry for every team).

I’m thinking of to do this that way:
nexus.registry.com/public/ - that is directory where everyone can push,pull,read all images.
nexus.registry.com/private/ - directory which can access 1-2 teams or users and this directory must be not visible to others team\users.

When I try to do this via content selector I can’t reach needed result
First selector: format==“docker” and path=~"./private/."
Second selector: format==“docker” and path=~"./public/."

Privileges for first selector: add,read
Privileges for second selector: add,read

Then I created roles and assign them to users. At this moment I have 403 error every time when I’m trying to pull\push images from Nexus no mater what roles (private or public) I use.

Will be glad for any advise.


#2

I discussed this recently in this thread:

Regards,

Rich


#3

Thanks a lot, Rich!
It works with access restriction and loggining to repository itself.

But for some reason I still can’t use docker search (v1 API version checkbox is enabled in repository settings) it still returns me 403 error.

I’ve used your content selector template. Trying to play around (change v2 to v1 where “search” word was) but still no effect. Is three some documentation about your implemintation of docker API? Because I think that my CSEL-expression is wrong and can’t understand in which place.

I’ve tried: format == “docker” and path =~ “/v2/|/v2/blobs/.|/v2/search/.” (as from your previous post. Login works fine but when I try to use docker search from console - I’ve got 403. Or is this just for Web UI filter\search?)

format == “docker” and path =~ “/v2/|/v2/blobs/.|/v1/search/.” (still not success)

And I tried to separate it for 2 different content selectors. Still no luck here…