For a Docker proxy repo, when the component max age expires and Nexus makes a request to the remote registry for an already cached Docker asset e.g. tag/manifest file, if the remote returns a 403 response then Nexus will also return a 403 to the client.
Furthermore, any subsequent request to the proxy for that asset will also return a 403 response, even if the component max age has not expired and a request is not made to the remote.
It would be expected that despite the remote returning a 403, Nexus should still continue to serve the asset it already had cached in the proxy.
This can be reproduced as follows:
- Two Nexus instance. On one instance create a hosted docker repository, on the other create a proxy docker repository to the hosted repo.
- Configure the remote to require authentication and configure the proxy repo with a user that has read permissions to the remote repo.
- Upload an image to the hosted repo.
- Pull the image via the proxy repo.
- Edit the permissions on the remote so that the configured user no longer has read permissions.
- Invalidate the cache on the proxy repo.
- Request/access the tag asset via the proxy.
The proxy request returns a 403 with:
This 403 response will continue to be returned until the user permissions are corrected on the remote AND the component max age expires.
Despite the remote returning a 403, Nexus should still continue to serve the asset it already had cached in the proxy.