Nexus Repository Manager - Private Repositories and Anonymous User Permissions

I received this customer question today.

When adding a private repository, how can I require authentication for that repository?

There are two parts to the answer:

  1. Requiring Authentication
  2. Once authenticated, requiring the correct authorization privileges for the logged in user

NOTE: The discussion, screenshots, and links here are focused on 2.x, but the same concepts apply to 3.x.

1. Prevent ALL Anonymous Access

If you want to disable anonymous access completely and require a valid username and password for all repositories, you can disable anonymous access in the system settings:

2. Requiring Authentication - Prevent SOME Anonymous Access - i.e. The Anonymous User

Many times, you still want to allow anonymous access, but only for a subset of repositories.

The key is that Nexus Repository Manager creates a first-class “user” object for Anonymous access. This “Anonymous user” is just like any person or system account in Nexus with the only exception that it is used by default when no other authentication exists.

See the NXRM 2 documentation for a complete guide to Managing Permissions, Managing Roles, and Managing Users

As a result, just like any other user, you can adjust the permissions that the Anonymous user has access to. By Default, Sonatype ships Nexus Repository Manager with the Anonymous user granted “read-only” privileges to all Group, Hosted, and Proxy repositories.

To configure Nexus Repository Manager so that a given repository requires authentication, it needs to not be accessible to the anonymous user. To do this, you need to remove the default “Repo: All Repositories (Read)” from the Anonymous user and create your own custom role for permissions to give to the Anonymous User. See the next section for an example.

WARNING: If you want to do an “all but,…” configuration, you either need to leverage group repositories as a shortcut, or you need to create privileges for each and every repository, then ensure that the Anonymous user has access to all of the repositories except for the one you want to keep private.

3. Example: Granting Access to a Repository for a User

The steps described in this section work the same for allowing anonymous access to a repository or restricting access to a repository to a given set of users.

At a high level, you need to create read privileges and assign those to the appropriate users.

The Nexus Repository Manager permission model is roughly:

  • repository target (content) + repository
  • privileges
  • roles
  • users

First, you will need to create privileges for the repository. In this simple example, we will allow access to the entire repository rather than limiting access to a portion of the repository.

For each repository, Nexus 2 will already have a “view” privilege. That simply allows you to see that the repository exists. In order to see the contents of the repository, you will need a “read” privilege.

Create new privileges for a given repository. This will automatically create all 4 privileges: create, delete, read, update for files inside of the repository.

Privileges can be added to existing roles or added to new roles. In this example, we will create a new role for assigning read access to Maven Central:

Now that we have our new role, we can assign that to a user. In this case, we will remove the “Read All” role and add the “Read Central” role for our Anonymous User:

4. Results and Next Steps

Now that we have adjusted the permissions grated to the anonymous user, we have restricted access to all repositories except for Maven Central. If you are starting from the default configuration and following along, at this point, you have also removed access for all authenticated users except for Nexus Admins. You will need to repeat #3 to grant access to for desired repositories to desired users.

TIP: You may leverage group repositories as a shortcut for assigning permissions to each repository one by one. Also, if you’re on Nexus 3, you can leverage the Default Role as a way to restrict anonymous access, but allow any logged in user access.

Before:

After:

1 Like