Search code examples
nexusnexus3

Nexus 3 and Content Selectors

I'm trying to use Sonatype Nexus 3 and content selectors for a Maven 2 repository. I created a Maven 2 repository called "custom-snapshots" and a content selector with the query 

coordinate.groupId =^ "net"

(My original query was more precise, but I'm trying to narrow down the problem. I don't think the problem is the content selector though as when I click preview and run it against custom-snapshots, I do get matches.)

Then I created a privilege called "sea-lion-snapshot-priv" with content selector " sea-lion-selector", repository "custom-snapshots" and actions "read,edit,browse".

Next I created a role called "sea-lion-role" with "sea-lion-snapshot-priv". Finally, I created a user "sam" with roles "sea-lion-role" and "nx-anonymous". I did not change any of the permissions on nx-anonynmous.

When testing:

  • If I browse the custom-snapshots repo without being logged in, I see all the artifacts.
  • If I browse the custom-snapshots repo logged in as Sam, I see all the artifacts.
  • If I browse the custom-snapshots repo logged in as another user, I see all the artifacts.

I was expecting to see the artifacts as Sam, but not anonymous/the other user.

Any ideas on what I could have set up wrong or techniques to troubleshoot it?

Solution

  • @rseddon's comment was the missing step. In the sprit of documentation, here are the exact settings I used when it was working:

    • Create a new role "limited-anon" with "nx-repository-view-maven2--*-read" and "nx-search-read"
    • Under users, go to "Anonymous". Remove the built in role and add "limited-anon"
    • Create a content selector with search expression "coordinate.groupId =^ "my.package.name"
    • Create a privilege of type "Repository Content Selector" going against this content selector, the snapshot repository and actions "read,edit,browse"
    • Create a similar privilege for the releases repo
    • Create a new role with both of these privileges
    • Assign both that new role and "limited-anon" to Sam (the user who can see the artifacts)
    • Assign just "limited-anon" to the other test user

    This configuration works for:

    • anonymous user - can not see this artifact
    • Sam - can see this artifact
    • other user - cannot see this artifact

    With this setup, it looks like items in the repository without content selectors cannot be seen unless you are an admin. Which is fine for my use case.