How to define a role that allows a CI system to publish content

bram.mertens · October 22, 2020, 9:01am

Hi,

I am looking for help and documentation on the different privileges in general that goes more in depth than the NXRM security model tutorial explains.

Specifically I want to set up a role that I can assign to a system account used by our CI system (jenkins) to publish build artifacts to Nexus using the nexus platform plugin.

I created a role with the privilege nx-component-upload and even added nx-repository-view-*-*-add but the user does not have the “upload” option in the web UI.

Are the nx-repository-view privileges the right ones to assign permissions to repositories? Or is a view something separate?

bram.mertens · October 26, 2020, 1:17pm

I found that the user needs nx-repository-view-*-*-browse privilege as well. But that is still not enough to allow a package to be uploaded.

When trying form the command line I get:

+ dotnet nuget push --api-key **** --source https://<URI>/repository/nuget-hosted/ <package>-<version>.nupkg
info : Pushing <package>-<version>.nupkg to 'https://<URI>/repository/nuget-hosted/'...
info :   PUT https://<URI>/repository/nuget-hosted/
info :   Forbidden https://<URI>/repository/nuget-hosted/ 148ms
error: Response status code does not indicate success: 403 (Forbidden).

When trying from the Web UI I get:
Not authorized for requested path '<package.name>/<version>'

Another surprise was that the user needs the nx-apikey-all privilege to generate/user an API key.

A detailed overview and/or more detailed documentation in the list of privileges would be most useful!

bram.mertens · October 26, 2020, 1:46pm

After testing some more I found that the only privilege required to upload to a repository is nx-repository-view-*-*-edit.

The nx-component-upload permission appears to be required for uploading via the Web UI, not for uploading via the API.

When using an APIKEY the privilege nx-apikey-all is required as well.

Hope this helps someone.

@Sonatype: please provide better documentation/descriptions of the privileges!

mpiggott · October 26, 2020, 8:48pm

It should be in the help docs already - Privileges

Note browse is a privilege related to accessing the UI so shouldn’t really be needed.

bram.mertens · October 27, 2020, 8:57am

Hi @mpiggott,

I read that page several times but that did not help me at all.

I actually tested some more and found that not only is the browse not needed the add privilege isn’t needed either to add content either…

I hope someone can elaborate the explanation on that page.

mpiggott · October 27, 2020, 1:43pm

Its already there:

Repository View

These are privileges controlling access to the content of a specific repository

and

edit

This action allows privileges to modify associated scripts, repository content, and repository administration.

bram.mertens · October 27, 2020, 3:30pm

@mpiggott, that might be enough for someone who already knows how it works.
But for a new user this is IMHO not sufficient.