[NEXUS-20926] anonymous user realm may be set to an invalid realm which will break the anonymous user - Sonatype JIRA

XML

Word

Printable

Details

Type: Bug
Status: New
Priority: Major
Resolution: Unresolved
Affects Version/s: 3.19.0
Fix Version/s: None
Component/s: Security
Labels:
- UX
- supportant
Environment:
Chrome MacOSX

Notability:
3

Description

The anonymous user has a dropdown for the Realm which shows all realms. But not all realms have users assigned to them (e.g. docker bearer token realm). The "unusable" realms should not be shown and selectable to avoid confusion and prevent breakage of the anonymous user.

Expected

Do not allow selecting invalid realms for the anonymous user in the anonymous user configuration. Enforce at REST API and UI levels.
Valid realms would only be the Local Authorizing Realm (default), LDAP Realm, Crowd Realm. Unsure about SAML realm.
Invalid realms would include any realm associated with a token or without a standalone user directory ( Docker Bearer Token Realm, Nuget API-key Realm, Conan Bearer Token Realm, npm Bearer Token Realm, User Token Realm, Default Role Realm )
TODO - consider how to warn an admin that they have an invalid realm selected on upgrade, and that they must select a valid realm to correct this

Attachments

Issue Links

relates

NEXUS-24787 an anonymous docker pull while anonymous user is configured to use docker bearer token realm will permanently break all future anonymous docker logins

Closed

Activity

People

Assignee:: Unassigned

Reporter:: Joe Tom

Last Updated By:: Joe Tom

Votes:: 4 Vote for this issue

Watchers:: 8 Start watching this issue

Dates

Created:: 08/20/19 03:01 PM

Updated:: 03/29/21 10:43 PM

Date of First Response:: 22/Oct/19 6:49 PM