Search code examples
dockerdocker-registrysonatypenexus3

How to limit content selector by docker tag in Sonatype Nexus3?

How to only grant access to specific tags and specified namespaces in Sonatype Nexus3?

Solution

  • As an example, we will use an image with the name: docker.domain.com/namespace/image:1.1.1

    We only want to allow the user to pull images that have a tag that matches our Semver regex. (you can simply adjust the regex to your own needs)

    Content Selector

    format == 'docker'  
&& (
    path == '/v2/' 
    || (
        path =~ '.*/namespace/.*' 
        && (
            path =~ '.*[0-9]+\.[0-9]+\.[0-9]+'
            || path =~ '.*/blobs/.*'
            )
        )
    )

    Explanation

    • && AND operator
    • || OR operator
    • == EQUAL operator
    • =~ REGEX operator
    • format == 'docker' sets the format type that should be selected
    • path == '/v2/' grants login and manifest privileges as explained docker v2 API specification
    • path=~'.*/blobs/.*' grants pull access to the image layers
    • path=~'.*[0-9]+\.[0-9]+\.[0-9]+' Semver-regex

    The most important part is the combination of the namespace and Semver-regex, namespace and blobs path.

    Edit: Please see rseddons answer here for a deeper explanation.