- Configure a docker repo to allow anonymous docker pulls
- Change the Anonymous user realm to be Docker Bearer Token Realm ( something allowed because of bug NEXUS-20926 )
- Perform an anonymous docker pull against the docker repo. This fails
- Change the Anonymous user realm back to a valid realm, like its default realm of Local Authorizing Realm.
- Perform an anonymous docker pull again. This still fails with an Unauthorized response, despite the fact the anonymous user is configured to use a valid realm.
Now you are in a state where it appears only way to correct the problem with anonymous docker pulls is to perform a low level database command to delete anonymous user token incorrectly associated with docker bearer token realm.
At a low level, prevent a realm to be associated with the special anonymous user, when that will break core features that rely on the anonymous user to only be associated with proper realms. Fixing NEXUS-20926 only address UI selection of realms.
These instructions may be difficult to perform when NXRM is running in kubernetes. In the following instructions $data-dir refers to your Data Directory and $install-dir refers to your installation directory.
- Go to Administration -> Security -> Anonymous Access and change the anonymous user realm value to a valid realm - except in extremely rare edge cases, selecting the default Local Authorizing Realm is what you will want to select. Click Save.
- Stop Nexus.
- Backup the security database directory:
- Start orient console
- Connect to security database.
- Take a look at the existing key before running a delete
- Delete the key
- Exit the orient console.
- Start Nexus.
- Try the Docker anonymous pull again.