Details
-
Type:
Bug
-
Status: Closed
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: 3.19.0, 3.25.0
-
Fix Version/s: 3.38.0
-
Labels:
-
Story Points:3
-
Sprint:NXRM MadMax Sprint 21
-
Notability:2
Description
- Configure a docker repo to allow anonymous docker pulls
- Change the Anonymous user realm to be Docker Bearer Token Realm ( something allowed because of bug NEXUS-20926 )
- Perform an anonymous docker pull against the docker repo. This fails
- ChangeĀ the Anonymous user realm back to a valid realm, like its default realm of Local Authorizing Realm.
- Perform an anonymous docker pull again. This still fails with an Unauthorized response, despite the fact the anonymous user is configured to use a valid realm.
Now you are in a state where it appears only way to correct the problem with anonymous docker pulls is to perform a low level database command to delete anonymous user token incorrectly associated with docker bearer token realm.
Expected
At a low level, prevent a realm to be associated with the special anonymous user, when that will break core features that rely on the anonymous user to only be associated with proper realms. Fixing NEXUS-20926 only address UI selection of realms.
Fix for broken state:
These instructions may be difficult to perform when NXRM is running in kubernetes. In the following instructions $data-dir refers to your Data Directory and $install-dir refers to your installation directory.
- Go to Administration -> Security -> Anonymous Access and change the anonymous user realm value to a valid realm - except in extremely rare edge cases, selecting the default Local Authorizing Realm is what you will want to select. Click Save.
- Stop Nexus.
- Backup the security database directory:
$data-dir/db/security - Start orient console
java -jarĀ $install-dir/lib/support/nexus-orient-console.jar
- Connect to security database.
connect plocal:$data-dir/db/security admin admin
- Take a look at the existing key before running a delete
select from api_key where domain='DockerToken' and primary_principal='anonymous'
- Delete the key
delete from api_key where domain='DockerToken' and primary_principal='anonymous'
- Exit the orient console.
disconnect exit
- Start Nexus.
- Try the Docker anonymous pull again.
Attachments
Issue Links
- is related to
-
NEXUS-20926 anonymous user realm may be set to an invalid realm which will break the anonymous user
-
- New
-