Details
-
Type:
Bug
-
Status: New
-
Priority:
Major
-
Resolution: Unresolved
-
Affects Version/s: 3.19.0
-
Fix Version/s: None
-
Component/s: Security
-
Labels:
-
Environment:Chrome MacOSX
-
Notability:3
Description
The anonymous user has a dropdown for the Realm which shows all realms. But not all realms have users assigned to them (e.g. docker bearer token realm). The "unusable" realms should not be shown and selectable to avoid confusion and prevent breakage of the anonymous user.
Expected
- Do not allow selecting invalid realms for the anonymous user in the anonymous user configuration. Enforce at REST API and UI levels.
Valid realms would only be the Local Authorizing Realm (default), LDAP Realm, Crowd Realm. Unsure about SAML realm. - Invalid realms would include any realm associated with a token or without a standalone user directory ( Docker Bearer Token Realm, Nuget API-key Realm, Conan Bearer Token Realm, npm Bearer Token Realm, User Token Realm, Default Role Realm )
- TODO - consider how to warn an admin that they have an invalid realm selected on upgrade, and that they must select a valid realm to correct this
Attachments
Issue Links
- relates
-
NEXUS-24787 an anonymous docker pull while anonymous user is configured to use docker bearer token realm will permanently break all future anonymous docker logins
-
- Closed
-