Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-24787

an anonymous docker pull while anonymous user is configured to use docker bearer token realm will permanently break all future anonymous docker logins


    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.19.0, 3.25.0
    • Fix Version/s: 3.38.0
    • Component/s: Docker, Security
    • Labels:
    • Story Points:
    • Sprint:
      NXRM MadMax Sprint 21
    • Notability:


      1. Configure a docker repo to allow anonymous docker pulls
      2. Change the Anonymous user realm to be Docker Bearer Token Realm ( something allowed because of bug NEXUS-20926 )
      3. Perform an anonymous docker pull against the docker repo. This fails
      4. ChangeĀ the Anonymous user realm back to a valid realm, like its default realm of Local Authorizing Realm.
      5. Perform an anonymous docker pull again. This still fails with an Unauthorized response, despite the fact the anonymous user is configured to use a valid realm.

      Now you are in a state where it appears only way to correct the problem with anonymous docker pulls is to perform a low level database command to delete anonymous user token incorrectly associated with docker bearer token realm.


      At a low level, prevent a realm to be associated with the special anonymous user, when that will break core features that rely on the anonymous user to only be associated with proper realms. Fixing NEXUS-20926 only address UI selection of realms.

      Fix for broken state:

      These instructions may be difficult to perform when NXRM is running in kubernetes. In the following instructions $data-dir refers to your Data Directory and $install-dir refers to your installation directory.

      1. Go to Administration -> Security -> Anonymous Access and change the anonymous user realm value to a valid realm - except in extremely rare edge cases, selecting the default Local Authorizing Realm is what you will want to select. Click Save.
      2. Stop Nexus.
      3. Backup the security database directory:
      4. Start orient console
         java -jarĀ $install-dir/lib/support/nexus-orient-console.jar
      5. Connect to security database.
         connect plocal:$data-dir/db/security admin admin
      6. Take a look at the existing key before running a delete
        select from api_key where domain='DockerToken' and primary_principal='anonymous'
      7. Delete the key
        delete from api_key where domain='DockerToken' and primary_principal='anonymous'
      8. Exit the orient console.
      9. Start Nexus.
      10. Try the Docker anonymous pull again.


          Issue Links



              iudovika Igor Udovika
              plynch Peter Lynch
              Last Updated By:
              Igor Udovika Igor Udovika
              NXRM - Mad Max
              2 Vote for this issue
              9 Start watching this issue


                Date of First Response: