Does anyone know what the minimal privileges are for automating backups with Nexus?
From what I can tell, you would need ‘nx-tasks-run’ to run the database back up, and then another privilege to freeze nexus using the read-only API, but I’m not sure what that second permission would be.
Also, the nx-tasks-run allows users to run any task, does anyone know if there is a way to limit the permissions to specific tasks?
If I recall correctly, there is no permission for the nodes (freeze) screen, so I think it’s admin only.
Also, as far as I know there’s no permission to allow a specific task (as opposed to all). I’m actually surprised this has never come up before, that seems like a good feature.
Hopefully my colleagues will correct me if I’m wrong.
Sorry for the not great news otherwise.
Having a separate freeze permission to ensure binary/blob consistency is as import as the per-task permissions to ensuring security around the backups. Right now my backup script has to include admin auth, which is far too much access.
Ideally, I’d like to be able to do the following without full admin access:
- Make the service read-only, stopping all writes in a consistent state.
- Run DB backup. (Currently won’t run if DB is read-only, because it wants to set read-only.)
- Backup blobs.
- Return service to read/write mode.
I realize this is more work for you but I recommend creating an Improvement request on issues.sonatype.com (‘dev - nexus repo’ project) with this request.
Someone there can tell you if this already exists or it’ll get it in our work queue.
That’s assuming someone doesn’t reply here and relay how to do it.