What is the minimal set of privileges required to deploy artifacts to Nexus 3?

Asked 5/12, 2016 at 3:43 Answered 17/4, 2020 at 12:27

I'm using Nexus Repository Manager 3.1.0-04, and I want to create a user to just have deployment permissions. What are the minimal set of privileges required for that?

Right now I created a role nx-deploy with the following privileges:

nx-repository-admin---read
nx-repository-admin---browse
nx-repository-admin---delete
nx-repository-admin---edit
nx-repository-admin---add

Then I created a user deployment with the role nx-deploy. I can deploy artifacts now, however, I believe I am giving too much privileges? The admin part is not what I want the deployment user to be, so that part has me a bit nervous.

Needless to say, there are just too many privileges to choose from under the security section.

Hafner answered 5/12, 2016 at 3:43 Comment(0)

The general rule is nx-repository-admin privileges are for administering the repositories and their details; nx-repository-view privileges are for use of the repositories once set up. Assign the latter.

To tweak repository privileges of your Deployment user(s) you should use the nx-repository-view-*-*-* as the assigned privilege, instead of nx-repository-admin. So, remove all the privileges you addressed in your question, and replace the ‘Given’ field with nx-repository-view-*-*-*. Since the privilege is denoted with asterisks, your Deployment users can perform all the above actions (i.e. browse, read, edit, add, and delete).

See the screenshot for reference:

Configuring the nx-deploy Privilege for the Deployment Role

You can read more about Privileges in the Security chapter: https://help.sonatype.com/repomanager3/security/privileges

Jarietta answered 7/12, 2016 at 16:46 Comment(4)

The minimal set of privileges I had to set to deploy an artifact consist of: nx-repository-view-*-*-{edit,read,add,browse}. I'm using Nexus Repository Manager OSS 3.2.1-01 – Radferd 30/3, 2017 at 14:21

Side notes: [1] The nx-repository-view-*-*-* privilege allows user to upload artifacts, but does NOT show UPLOAD option on the Nexus UI [2] For deployment user, consider adding browse, read, edit, add privileges separately and preferably, do NOT add the delete privilege. – Dimercaprol 22/5, 2018 at 9:14

in Nexus 3.14 to be able to upload components (upload button) your deployment user should have the nx-component-upload privilege beside the nx-repository-view-*-*-* , see documentation here help.sonatype.com/repomanager3/user-interface/… – Houlberg 16/11, 2018 at 16:1

In version 3.18.0-01 privileges read and edit are enough (just like Ben mentioned in the not accepted answer) to deploy via CI/CD (Maven) provided by GitLab. – Flaming 28/12, 2021 at 13:48

If you need minimal privileges to just deploy artifacts, nx-repository-view-*-*-edit is enough.

nx-repository-admin is used for administration and configuration

Repository Admin

These are privileges related to the administration and configuration of a specific repository

and edit is enough to modify repository content

edit

This action allows privileges to modify associated scripts, repository content, and repository administration.

BTW, you need nx-component-upload to upload components in web UI.

https://help.sonatype.com/repomanager3/user-interface/uploading-components

Robenarobenia answered 8/3, 2019 at 6:28 Comment(1)

Your post does not include any explanation, instead there is only an is enough, I think. That makes it a comment... You can still add information about why your line of code solves the problem. Your post will be removed if some others flag it as a comment, too. – Coquet 8/3, 2019 at 8:23

Successful deployment by maven 3 with Nexus 3.8.0 the following rights are required

nx-repository-view-*-*-edit
nx-repository-view-*-*-read

Demoniac answered 10/6, 2019 at 19:15 Comment(3)

Maven reads the repository before deployment. For this reason, the read role must be assigned. – Demoniac 26/7, 2019 at 13:51

In addition the nx-component-upload priv is required if the user should be allowed to perform the upload operation from the Nexus UI. But in general we want to encourage that artefacts are created by CI pipelines, not from random developer's workstation. So you may want to leave that priv out of the equation. :-) – Bogus 13/2 at 8:39

Explanation :Why the edit priv and not the add priv ? Because a Maven client actually performs a HTTP PUT when uploading artifacts, not POST. The Nexus edit priv corresponds to being able to perform PUT while the Nexus addpriv corresponds to be able to perform POST. – Bogus 13/2 at 8:42

nx-repository-view-maven2-maven-snapshots-edit
nx-repository-view-maven2-maven-snapshots-read

"maven2"is recipe,"maven-snapshots" is your repository name.

Visitant answered 17/4, 2020 at 12:27 Comment(0)

Recommended topics

Hot tags