Restrict Artifact Upload to a single repository - nexus

I am using Nexus OSS 2.13.0-01. I want to restrict Artifact Upload for a single user to a single repository (All other users should not be able to upload Artifacts to any of the repositories).
I followed the documentation to create custom repository target, custom privileges and custom roles. However, I see that 'Artifact Upload' is a Privilege of the type 'Application'. If I understand it right, I can not make 'Artifact Upload' applicable to a single Nexus repository but on the entire Nexus Application.
Hence, I am getting 'Artifact Upload' tab for every repository in Nexus and not a single repository.
How do I achieve it?
Cheers,
Anantha

The "artifact upload" privilege controls whether or not the upload UI tab is visible. It does not grant privileges to actually upload anything, for that the user needs create or update privileges in the repository.
It is not practical to make the upload UI appear and disappear based on whether a user has write privileges. Checking to see if user has upload permissions is actually quite complex when you consider how nexus repository permissions work. They consist of...
Repository Targets:
A regular expression describing patterns of artifacts that can be
uploaded (e.g, "/com/foo/somecompany/someproject/.*"
A repository type which is allowed (e.g, "maven2", or "any content".
Repository Target Privileges:
A repository target
A repository where the target applies, or "all repositories"
Further complicating matters is that repository privileges are transitive. Privileges applied to group repositories also apply to the groups member repositories. So a privilege granted for a group repository is also granted for the groups members.
So in the general case we can't tell if a user has permission to upload something until they actually try to upload it.

Related

Disable directory listing in artifactory

I need to Disable directory listing in .
Any suggestions ?
I tried to search for result in google but didn't find any
I only found a way that you can block the connection to the URL but this isn't what i need
If you are looking to disable the directory-listing for particular users, then you can achieve this by adding providing the repository path exclude-pattern at the permission target end.
In the below example, I have enabled anonymous user access only to specific packages, Please refer below steps for the same:
I have created a PyPI local repository, deployed python packages into it as shown in the below screenshot:
screenshot
After this, created a permissions target to restrict access to a specific folder called st-fraud-infra to the anonymous user. Hence added st-fraud-infra/** as a exclude pattern, kindly refer to the below screenshot for the same:
screenshot
Add anonymous users from the Users tab and provided appropriate permissions based on your requirement.
screenshot
Once you saved the permission target while accessing the Artifactory through the anonymous user, I could not see the excluded folder which is st-fraud-infra.
screenshot

File sharing read/write permissions

I have noticed that in Dropbox, you can share a file with another user, in 'read' mode, and that viewer has the ability to share that file with others via a read-only sharable link. However, in Drive, a read-only user is unable to share a link with another user at all.
Which approach would be more similar to how the Unix/Linux approach to permissions works? Why?
Try to visit the Google Drive REST API Overview in the official GDrive documentation specifically in the Share and collaborate section which was elaborated as:
apps can display a standard Google Drive sharing dialog to let users share files
What you want to do is more on Manage Sharing:
Access to files & folders is determined by an access control list
(ACL). An ACL is a list of permissions that determine whether or not
users can perform actions on a file such as read or write. See the
permissions
guide
for additional details about permissions and roles along with the
reference
guide.
Also, what want is to assign a direct file permission to the user, group or domain. It was stated to use the teamDrivePermissionDetails field to determine the use of effective role.
To see more on how to lists a file's or Team Drive permission, you can refer to the method Permissions: list

Nexus 3 and Content Selectors

I'm trying to use Sonatype Nexus 3 and content selectors for a Maven 2 repository.
I created a Maven 2 repository called "custom-snapshots" and a content selector with the query
coordinate.groupId =^ "net"
(My original query was more precise, but I'm trying to narrow down the problem. I don't think the problem is the content selector though as when I click preview and run it against custom-snapshots, I do get matches.)
Then I created a privilege called "sea-lion-snapshot-priv" with content selector "
sea-lion-selector", repository "custom-snapshots" and actions "read,edit,browse".
Next I created a role called "sea-lion-role" with "sea-lion-snapshot-priv". Finally, I created a user "sam" with roles "sea-lion-role" and "nx-anonymous". I did not change any of the permissions on nx-anonynmous.
When testing:
If I browse the custom-snapshots repo without being logged in, I see all the artifacts.
If I browse the custom-snapshots repo logged in as Sam, I see all the artifacts.
If I browse the custom-snapshots repo logged in as another user, I see all the artifacts.
I was expecting to see the artifacts as Sam, but not anonymous/the other user.
Any ideas on what I could have set up wrong or techniques to troubleshoot it?
#rseddon's comment was the missing step. In the sprit of documentation, here are the exact settings I used when it was working:
Create a new role "limited-anon" with "nx-repository-view-maven2--*-read" and "nx-search-read"
Under users, go to "Anonymous". Remove the built in role and add "limited-anon"
Create a content selector with search expression "coordinate.groupId =^ "my.package.name"
Create a privilege of type "Repository Content Selector" going against this content selector, the snapshot repository and actions "read,edit,browse"
Create a similar privilege for the releases repo
Create a new role with both of these privileges
Assign both that new role and "limited-anon" to Sam (the user who can see the artifacts)
Assign just "limited-anon" to the other test user
This configuration works for:
anonymous user - can not see this artifact
Sam - can see this artifact
other user - cannot see this artifact
With this setup, it looks like items in the repository without content selectors cannot be seen unless you are an admin. Which is fine for my use case.

Preventing Overwriting Deployments using Artifactory

I have setup an instance of Artifactory (4.1.2) which I am using to store java artefacts. I push artifacts to the instance using the gradle plugin configured as below
artifactory {
contextUrl = 'http://example.com/artifactory'
publish {
repository {
// The Artifactory repository key to publish to
repoKey = 'libs-release-local'
username = artifactory_username
password = artifactory_password
}
defaults {
publications('releaseJar')
}
}
}
I want to be able to prevent overwriting already deployed artefacts by version. This seems to be a common request and the docs say
You can prevent a user or group from overwriting a deployed release or unique snapshot by not granting the Delete permission. Non-unique snapshots can always be overwritten (provided the Deploy permission is granted).
However, I have set up a deploy user which is in groups 1 | deployers
with related permissions 1 | CanDeploy.
The CanDeploy permission has Deploy/Cache permissions for the deployers group only.
However! I can overwrite the deployed artifact to my hearts content using gradle artifactoryPublish.
Any advice would be gratefully received :)
EDIT: Since asking this question the functionality has started working as desired. This is very weird as I had not changed the Artifactory settings at all but is now returning a 403 when I try to upload an artifact with the same version num as is already deployed. I can only presume there is something weird regarding caching of access permissions or something which resulting in my changes via the web UI not becoming effective for a day or two - unnerving but its currently working. Will leave question up for the moment while I ensure its working!
The easiest way to check the permissions are set is in the "Effective Permissions" tab in the browser UI.
When selecting the "releaseJar" repo, if you see the "delete" permission checked on the "deploy" user than you may have another permission target giving the delete permission to this user.
You can see the list of permission target used by a single user in the "Users" page.
Hope this helps.

User cannot create file using WebDav with Alfresco

I am using WebDav to copy and paste multiple files into Alfresco.
The problem is that I can only do this with administrator IDs.
When I try to create new files or update existing files as a non-administrator
user, I get the following error:
HTTP Status Code: 403 caused by: org.alfresco.repo.security.permissions.AccessDeniedException: 03300303 Access Denied. You do not have the appropriate permissions to perform this operation.
Is there anyway to allow non-administrator IDs to create/update files?
The Alfresco WebDAV support uses identical permissions to the rest of Alfresco. Nothing special - it's just one of the number of different ways you can interact with the nodes stored in your Alfresco repo.
As such, the user you log in as needs to have both read and write permissions to the folder in question. Typically, that means they need to be a member of the site you want to write to, and need to have permissions higher than Consumer.
As long as the user has write permissions to where you want to write to, they'll be able to make changes using WebDAV.

Resources