Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-27623

403 response from a remote will cause an already cached docker asset to also return a 403 from a proxy repository when component age expires

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: New
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 3.29.2, 3.30.0
    • Fix Version/s: None
    • Component/s: Docker
    • Labels:
    • Notability:
      3

      Description

      For a Docker proxy repo, when the component max age expires and Nexus makes a request to the remote registry for an already cached Docker asset e.g. tag/manifest file, if the remote returns a 403 response then Nexus will also return a 403 to the client.

      Furthermore, any subsequent request to the proxy for that asset will also return a 403 response, even if the component max age has not expired and a request is not made to the remote.

      It would be expected that despite the remote returning a 403, Nexus should still continue to serve the asset it already had cached in the proxy.

      This can be reproduced as follows:

      1. Two Nexus instance. On one instance create a hosted docker repository, on the other create a proxy docker repository to the hosted repo.
      2. Configure the remote to require authentication and configure the proxy repo with a user that has read permissions to the remote repo.
      3. Upload an image to the hosted repo.
      4. Pull the image via the proxy repo.
      5. Edit the permissions on the remote so that the configured user no longer has read permissions.
      6. Invalidate the cache on the proxy repo.
      7. Request/access the tag asset via the proxy.

      The proxy request returns a 403 with:

      {"errors":[{"code":"UNAUTHORIZED","message":"access to the requested resource is not authorized","detail":null}]}

      This 403 response will continue to be returned until the user permissions are corrected on the remote AND the component max age expires.

       

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              hardeepn Hardeep Nagra
              Last Updated By:
              Michael Oliverio Michael Oliverio
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Date of First Response:

                  tigCommentSecurity.panel-title