Nexus has role-based access control (RBAC) which gives
administrators very fine-grained control over who can read from a
repository (or a subset of repositories), who can administer the server,
and who can deploy to repositories. The security model in Nexus is also so
flexible as to allow you to specify that only certain users or roles can
deploy and manage artifacts in a specific repository under a specific
groupId or asset class. The default configuration of
Nexus ships with four roles and four users with a standard set of
permissions that will make sense for most users. As your security
requirements evolve, you'll likely need to customize security settings to
create protected repositories for multiple departments, or development
groups. Nexus provides a security model which can adapt to any
scenario.
Nexus' Role-based access control (RBAC) system is designed around the following four security concepts:
- Privileges
-
Privileges are rights to read, update, create, or manage resources and perform operations. Nexus ships with a set of core privileges which cannot be modified, and you can create new privileges to allow for fine-grained targeting of role and user permissions for specific repositories.
- Targets
-
Privileges are usually associated with resources or targets. In the case of Nexus, a target can be a specific repository or a set of repositories grouped in something called a repository target. A target can also be a subset of a repository or a specific asset classes within a repository. Using a target you can apply to a specific privilege to apply to a single groupId.
- Roles
-
Collections of privileges can be grouped into roles to make it easier to define collections of privileges common to certain classes of users. For example, deployment users will all have similar sets of permissions. Instead of assigning individual privileges to individual users, you use Roles to make it easier to manage users with similar sets of privileges. A role has one or more privilege and/or one or more roles.
- Users
-
Users can be assigned roles and privileges, and model the individuals who will be logging into Nexus and read, deploying, or managing repositories.
Nexus has three types of privileges: application privileges which cover actions a user can execute in Nexus, repository target privileges which govern the level of access a user has to a particular repository or repository target, and repository view privileges which control whether a user can view a repository. Behind the scenes, a privilege is related to a single REST operation and method like create, update, delete, read.
To create a new privilege, click on the Add... button in the Privileges panel and choose Repository Target privilege. Creating a privilege will load the New Repository Target Privilege form shown in Figure 6.23, “Managing Security Privileges”. This form takes a privilege name, a privilege description, the repository to target, and a repository target.
Once you create a new privilege, it will create four underlying privileges: create, delete, read, and update. The four privileges created by the form in Figure 6.23, “Managing Security Privileges” are shown in Figure 6.24, “Create, Delete, Read, and Update Privileges Created”.
A target is a set of regular expressions to match on a path (exactly how the route rules work now). This allows you to define for example a target called Apache Maven which is "org/apache/maven/.*" You can then add a new privilege that relates to the target and controls the CRUD operations for artifacts matching that path (the privilege can span multiple repositories if you want). You could thus delegate all control of org.apache.maven targets to a "Maven" team. In this way, you don't need to create separate repositories for each logical division of your artifacts.
Nexus ships with four roles: Nexus Administrator Role, Nexus Anonymous Role, Nexus Developer Role, and Nexus Deployment Role. Click on the Roles link under Security in the Nexus menu to show the list of roles shown in Figure 6.27, “Managing Security Roles”.
To create a new role, click on the Add... button and fill out the New Nexus Role form shown in Figure 6.28, “Managing Security Roles”. When creating a new role, you will need to supply a role identifier, a role name, a description, and a session timeout. Roles are comprised of other roles and individual privileges, to assign a role or privilege to a role, click on the role or privilege under Available Roles/Privileges and drag the role or privilege to the Selected Roles/Privileges list.
The built-in roles Nexus Administrator Role, Nexus Anonymous Role, Nexus Deployment Role, and Nexus Developer Role are managed by Nexus and cannot be edited or deleted. Selecting one of these built-in roles will load the form shown in Figure 6.29, “Managing Security Roles”.
A Nexus role is comprised of other Nexus roles and individual Nexus privileges. To view the component parts of a Nexus Role, select the role in the Roles panel and then choose the Role Tree tab as shown in Figure 6.30, “Managing Security Roles”.
With the Repository Targets, you have fine grained control over every action in the system. For example you could make a target that includes everything except sources (.*(?!-sources)\.*) and assign that to one group while giving yet another group access to everything. This means you can host your public and private artifacts in a single repository without giving up control of your private artifacts.
Nexus ships with three users: admin, anonymous, and deployment. The admin user has all privileges, the anonymous user has read-only privileges, and the deployment user can both read and deploy to repositories. If you need to create users with a more focused set of permissions, you can click on Users under Security in the left-hand navigation menu. Once you see the list of users, you can click on a user to edit that specific user's user ID, name, email, or status. You can also assign or revoke specific roles or permissions for a particular user.
A user can be assigned one or more roles which in turn can include references to other Nexus roles or to individual Nexus privileges. To view a tree of assigned Nexus roles and privileges, select the Role Tree for a particular user as shown in Figure 6.32, “Nexus User Role Tree”.
If you need to find out exactly how a particular user has been granted a particular privilege, you can use the Privilege Trace pane as shown in Figure 6.33, “Nexus User Privilege Trace”. The Privilege Trace pane lists all of the privileges that have been granted to a particular user. Clicking on a privilege loads a tree of roles that grant that particular privilege to a user. If a user has been assigned a specific privilege by more than one Role or Privilege assignment, you will be able to see this reflected in the Role Containment list.
