Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-24787

an anonymous docker pull while anonymous user is configured to use docker bearer token realm will permanently break all future anonymous docker logins

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.19.0, 3.25.0
    • Fix Version/s: 3.38.0
    • Component/s: Docker, Security
    • Labels:
    • Story Points:
      3
    • Sprint:
      NXRM MadMax Sprint 21
    • Notability:
      2

      Description

      1. Configure a docker repo to allow anonymous docker pulls
      2. Change the Anonymous user realm to be Docker Bearer Token Realm ( something allowed because of bug NEXUS-20926 )
      3. Perform an anonymous docker pull against the docker repo. This fails
      4. ChangeĀ the Anonymous user realm back to a valid realm, like its default realm of Local Authorizing Realm.
      5. Perform an anonymous docker pull again. This still fails with an Unauthorized response, despite the fact the anonymous user is configured to use a valid realm.

      Now you are in a state where it appears only way to correct the problem with anonymous docker pulls is to perform a low level database command to delete anonymous user token incorrectly associated with docker bearer token realm.

      Expected

      At a low level, prevent a realm to be associated with the special anonymous user, when that will break core features that rely on the anonymous user to only be associated with proper realms. Fixing NEXUS-20926 only address UI selection of realms.

      Fix for broken state:

      These instructions may be difficult to perform when NXRM is running in kubernetes. In the following instructions $data-dir refers to your Data Directory and $install-dir refers to your installation directory.

      1. Go to Administration -> Security -> Anonymous Access and change the anonymous user realm value to a valid realm - except in extremely rare edge cases, selecting the default Local Authorizing Realm is what you will want to select. Click Save.
      2. Stop Nexus.
      3. Backup the security database directory:
        $data-dir/db/security
      4. Start orient console
         java -jarĀ $install-dir/lib/support/nexus-orient-console.jar
        
      5. Connect to security database.
         connect plocal:$data-dir/db/security admin admin
        
      6. Take a look at the existing key before running a delete
        select from api_key where domain='DockerToken' and primary_principal='anonymous'
        
      7. Delete the key
        delete from api_key where domain='DockerToken' and primary_principal='anonymous'
        
      8. Exit the orient console.
         disconnect
         exit
        
      9. Start Nexus.
      10. Try the Docker anonymous pull again.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              iudovika Igor Udovika
              Reporter:
              plynch Peter Lynch
              Last Updated By:
              Igor Udovika Igor Udovika
              Team:
              NXRM - Mad Max
              Votes:
              2 Vote for this issue
              Watchers:
              8 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Date of First Response:

                  tigCommentSecurity.panel-title