Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-31100

REST API operations using content selector privileges match against docker image name instead of access path

    Details

    • Story Points:
      0.5
    • Notability:
      3
    • InvestmentLayer:
      support-escalated
    • Aha Concept:
      non-concept

      Description

      .1. Create a content selector with this pattern

      format == "docker" and path == "/v2/" or path =^ "/v2/deletetest/" or path =^ "/v2/library/deletetest/"
      

      2. Create a content selector privilege using that content selector and against a docker hosted repository and an action value of wildcard literal "*"
      3. Assign the privilege to a role and that role to a test user named "deletetest"
      4. docker push an image named "deletetest" to the hosted docker repo named project_repository using the test user.
      5. Now use the REST API using the deletetest user to GET the components - this DOES NOT return any components.

      curl -v -u deletetest:admin123 http://localhost:8081/service/rest/v1/components?repository=project_repository

      Now change the content selector pattern to be this:

      format == "docker" and path =~ "^(/v2/|/v2/library/)?(deletetest(/.*)?)?$"
      

      Now the same curl request returns the component pushed.

      The document at https://help.sonatype.com/repomanager3/nexus-repository-administration/access-control/content-selectors states:

      When writing a content selector, remember that the asset’s path will always begin with a leading slash when the selector is evaluated. This is true even though the leading slash is not displayed when searching or browsing assets.

      This statement is not always true based on above outcomes.

      What is actually happening is the REST API is matching on component name, not access path.

      Expected

      The documentation should be corrected and/or the product behaviour should be evaluated to determine if matching on "name" instead of access path is intended.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              plynch Peter Lynch
              Last Updated By:
              Michael Oliverio Michael Oliverio
              Team:
              NXRM - Mad Max
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Date of First Response:

                  tigCommentSecurity.panel-title