Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-16077

pip search on group requires read privilege on member repositories

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Medium
    • Resolution: Fixed
    • Affects Version/s: 3.7.1
    • Fix Version/s: 3.10.0
    • Component/s: PyPI, Security
    • Labels:
    • Story Points:
      2

      Description

      On my production installation, I only grant anonymous access to a set of specific repositories/groups. This is the situation for pypi:

      • a 'pypi' proxy repository pointing to https://pypi.python.org/ which is not browsable/readable for anonymous
      • a group repository 'pypi-public' containing the above proxy repository. This one is the default the anonymous user must use with browse/read permissions granted

      Using the 'pypi-public' group to install packages from pip command line is behaving as expected (packages get downloaded and installed)

      Using the pip command line to search packages against the group fires a login prompt. To enable anonymous search your have to specifically grant the read access on the 'pypi' member repository. This is annoying as the admin must remember to grant read access to new member repository. The read permission on the group should be enough to complete the search.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              jstephens Joseph Stephens
              Reporter:
              zeitounator Olivier Clavel
              Last Updated By:
              Peter Lynch
              Team:
              Nexus - Formats
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Date of First Response:

                  tigCommentSecurity.panel-title