Saving accesses to private namespaces in hosted repositories when using group docker repository

Hello good people.
We have the next situation:

  • We have a hosted private docker repository. With content selectors to access specific namespaces for a specific team.
  • Also we have one namespace that available for all users of our private registry.
    Everything works great here.

But for now, we want to create a proxy repo for the docker hub and combine them in docker-group.
And at this moment things got interesting.
When I enable anonymous pull for docker-group all our privacy for hosted repo means nothing. I am able to download any image from any hosted-repo namespace.

Is there a way to achieve next:

  • Create a docker group with a mix from the hosted repo with content selectors and a proxy from the docker hub.
  • When trying to pull something from the docker hub - allow it to everyone.
  • When trying to pull something from hosted repo - use scheme with content-selectors and deny any access for it without being logged in and have sufficient content-selectors, privileges, and role in nexus for a specific user?