Nexus 3 pypi isn't accessible (for pip) without authentication

I am using the latest Nexus 3 OSS installation 3.22.0-02. I am experimenting with its support for pypi repositories and created a “hosted” pypi repo as per the available documentation. I was able to successfully upload a python package using twine (which as expected required a login to the nexus repo).
However, when using pip to install this package using the command:

pip install --extra-index-url http://nexus-hostip:port/repository/testpypi/simple mytestapp

Running this command prompts the user for a user name and password:
User for nexusip:8081:

Looking at the verbose log shows a 401 http status code when the http://nexus-hostip:port/repository/testpypi/ is accessed (even from the browser). So it looks like accessing a pypi repo mandates a login. Is there a way the repo can be configured to allow non-authenticated access. I have some Maven2 repos which don’t enforce such restrictions and are accessible without authentication. Is there some setting/documentation that I missed for pypi repos?

You can control whether anonymous users can access your NXRM instance under Admin / Security / Anonymous Access settings (http://nxrm/#admin/security/anonymous)

Hello Dawid,
Thank you for replying. I did check that setting and it already has “Allow anonymous users to access the server” checkbox enabled. I’ve attached a screenshot showing the setting

Even with that setting enabled, I still get a basic auth pop-up whenever I visit http://ip:port/repository/testpypi URL (either from the browser or any command line client like pip). Note that this happens only for PyPi based repositories. I have a Maven2 repo on the same server and trying to access that URL http://ip:port/repository/testmaven doesn’t prompt for any user auth and instead lets me browse the repository.
So this appears very specific to pypi repos? Maybe I missed some setting somewhere(there aren’t many from what I see in the pypi repo settings)?

When I posted the question, I left out a detail that this current setup was migrated from 2.x version of Nexus. The Maven repositories and the existing users were all migrated from that instance. The pypi repo however was created afresh after the migration.

After Dawid mentioned the “anonymous” user setting, I decided to go look into more details about this user including the roles this user has been granted. It currently had:

nx2-anonymous
nx2-any-all-view
nx2-repo-all-read

roles assgined to it. I checked some other available roles and noticed there’s a “nx-anonymous” role. So I added this role to the “anonymous” user and then tried access the pypi repo URL from the browser and from pip. This time it no longer asks for the user authentication and allows me to access the repository without logging in (which is what I was after).

So it looks to me that there’s some inconsistency on how this migrated “nx2-*” roles are handled for migrated and new repositories? Is this some bug that needs to be tracked or is it one of those things that I missed during migration?

It sounds like you may have a non-standard config of anonymous on your NXRM2 instance.
I just tried a migration and didn’t see nx2-any-all-view or nx2-repo-all-read…in fact those didn’t migrate at all so I have no idea what those are.
My guess is migration took whatever you had in NXRM2 and made that into NXRM3 which is as intended.
I’m not sure what the bug would be without more detail.
2 cents,
Joe
PS: One thing you could check if you were interested in persuing is remove what you added for NXRM3 anonymous and try a format that existed and you used in NXRM2. I suspect it also wouldn’t work anonymously. If it does, I think the missing detail would be what nx2-any-all-view and nx2-repo-all-read do.