Role to only get artefacts from local repository

avelinof · March 6, 2020, 11:05pm

Good day everyone,

In the company I work for, we are installing our first local repository but the security guys need to be absolutly sure that the objects stored in the repository are 100% clean from malware. They will scan the local repository of the Nexus Server periodically and they only will give the go to the project if It can implement 2 roles. The first one is just a normal one, where if a pull of an object in the repository is not present locally, It will retreive it from the external repositories. The second one mus only retreive objects from the local repository of the Nexus Server, Nexus server must do not download from the external repositories.

I don’t know if it’s posible to achieve this by configuring some kind of roles inside Nexus.

Best regards and I hope I can find an answer here.

jtom · March 9, 2020, 3:58pm

Hi,
The ability to pull from an external proxy or not is not configurable on the user level, it’s configurable on the proxy level.
So if you mean “role” as is user permission, I suspect this is not something that will work for you.
However I am curious then what the model you envisioned with the dual roles was. Were only the security guys to get the normal role? Did you think you were going to switch the roles back and forth once everything was clear?
If I understood better there may be an ability to achieve what you want.

Note, that in regards to pre-scanning for security issues, that’s pretty much what our Lifecycle product does. That’s why it’s not easy to impossible (depending on use case/need) to do the same thing via standard NXRM.

My initial 2 cents based on info you gave,
-Joe

avelinof · March 9, 2020, 10:26pm

Hi Joe and thank you for your response.

To clarify a little bit what the security area want to achieve, they want the company divided in two groups, the first one configure their IDE to NXRM, launch a build event in the IDE (either with maven or npm) and in the case the object is not stored in NXRM repository, it will connect to the external repository (maven-central, maven.apache, and others).

The second group will do the same IDE configuration, but when the object is not stored in the NXRM repository, it most simply fail.

What I understand with your answer, is that the roles in NXRM doesn’t manage this case in particular, but I wonder if there is a way to achieve this, for example I wonder if it is possible to have two different installations of NXRM, one with proxy permission and the other one blocked, but somehow the first one replicate the repository to the second one, maybe copying the repository folder at OS level, every time the security area approves the content of the first repository.

Is this approach valid? It’s even possible? Is there another way to do this?

Best regards,
Fernando

jtom · March 10, 2020, 10:03pm

Hi again,
I thought about this a little bit and while your use case makes sense, I don’t think it’s implementable (easily? see below) via repositories. The problem is that blocked (remote) blocks outbound connections from the blocked repository. What I think you want is for outbound connections to be blocked from the remote repository which isn’t a setting. You can probably easily see why, since for example, we couldn’t block Central from giving things out, we can just block a proxy from getting things from Central.

As far as I can think, proxies would be the same setup on two servers vs one so I don’t think this helps you.

Multiple servers did make me reflect that import/export (https://issues.sonatype.org/browse/NEXUS-11468) might help you but it’s not implemented yet. With that feature, theoretically you could export from one server to another. However, this might not be enough considering the lag time in between.

Similar idea (no need to wait but lag time) between copying the work directory and blobstore from server to server (to have it not be corrupt you’d need the secure server to be shutdown which means outage time for both), essentially restoring from backup. This actually may be fesiable assuming you already have outages for backups tho, now that I type it up, something to consider.
Ref: https://help.sonatype.com/display/NXRM3/Backup+and+Restore

A possibly less severe (or lengthy?) outage would be to manually make the local (not remote) proxy offline while the security people ran their checks but it involves manual configuration. I am unsure in this scenario what happens if the security people find failures either. I guess your description as far as I can tell doesn’t account for that (not going to guess).

If you’re willing to go manual, you could transfer the cleared components to a hosted repository and just not give any access to the outside to the insecure group. Currently however there is no means in NXRM to transfer items from place to place. As you analyzed that is basically what proxies are for, so you’d be doing it this way as a workaround to a feature. So you’d need to download the cleared components and upload them manually.

I also considered asking what NXRM version you are on. If NXRM2, https://help.sonatype.com/display/NXRM2/Procurement+Suite, sounds similar to what you might want. However, note that’s a professional (paid) feature. Nothing has been implemented for NXRM3 yet but I assume if/when done that’ll also be paid.

It might sound like I’m trying to sell you something, but I think the complexity of the scenario is just beyond the OSS solution. If you do go paid to see if some of these things will work for you, our Customer Success team may also have more ideas. I suggest they’ll recommend the Lifecycle product that I mentioned previously though.

Sorry not terribly helpful, maybe someone else will have ideas.
-Joe

mmartz · March 11, 2020, 1:59pm

I would agree with @jtom. What you want to do sound very much like what our paid solutions are for. If you don’t want to go to the paid features you can probably achieve this by having a single nexus repository manager with both proxy and hosted repositories. For users you want able to pull in any dependency they would use the proxy repository. For users you don’t want to pull new dependencies in you’d have to configure a hosted repository for them to use. Once a component is “approved” for general use you’d have to upload it to the hosted repository either via the UI, the build tooling, or (in nexus repository manager 3) the REST apis.

avelinof · March 11, 2020, 2:17pm

Good day Joe,

Indeed, the Procurement Suite is what suits the best for the scenario I’m facing. I’ll will check back with the security areas to present this option.

Regarding copying the work directory / blobstore, I understand that an outage time is the logical consequence of this operation, but I’ll present this alternative as well.

Thank you very much, your help was really helpfull.

Best regards,

Fernando.