When we first set out to design the external security realm (LDAP/ Crowd, etc) support in Nexus Core, we had one primary concern and that was to make it easy to integrate with systems having huge numbers of users.   Nexus was designed as a tool to be used to support the largest open source communities with thousands of developers and hundreds of projects, and like most large enterprises, these communities have settled on solutions like LDAP, Active Directory, and Crowd as a way to manage user credentials and permissions.  A secondary concern was to support any level of integration with these external security realms, specifically:

• delegating only authentication to an external server
• delegating both authentication and authorization to an external server
• delegating everything but authentication promotion permissions to an external server

These interactions were gleaned from years of experience working with customers at all levels. Some have completely centralized control over passwords and roles. Others have a situation where there’s a global repository but the roles don’t match reality, or are too hard to get updated.    We wanted to create a system that would both integrate with centralized authentication servers and allow for a sensible way to override role assignments directly in Nexus. Read more…

Nexus, Sonatype Nexus, security

In addition to managing and maintaining the Maven Central repository, I also serve as the administrator for two very large forge repositories: repository.apache.org and nexus.codehaus.org. This post is going to dive into the details of the best practices that I’ve developed to maintain these very large instances. I will focus on the configuration of Nexus in this post, but if you’re interested in system level details, those are documented here.

Both of these repositories have a few things in common that have driven the design:

• there are many disparate projects deploying artifacts that require fine grained access control per project
• release repositories are synced to central
• they are the most commonly used snapshot repositories in the maven ecosystem
• the majority of users are anonymously reading the snapshots
• they are transitional repositories that replace older static repositories

They also have a few things that are very different:

• Apache is a Solaris Zone
• Codehaus is an Ubuntu Jeos VM
• Apache is using httpd for reverse-proxying and ssl
• Codehaus is using Nginx for reverse-proxying and ssl

This post contains two sections, the first covers some system-wide Nexus configuration, the second contains details about adding individual projects, along with security and staging configuration. If you are setting up a public Maven repository, this post might give you some ideas about configuration and administration issues that you’ll need to think about. Read more…

Nexus, Sonatype Community, Nexus

In “A Tale of Two Repository Managers” John Smart compares Nexus to Artifactory, and covers some of the more well known features like Staging and Security.  I wanted to emphasize a few more of the other features that are often overlooked.

Most of our users download the tool, install it, and use the most straightforward features: simple proxy repositories, hosted repositories, and repository groups.  We’ve gone out of the way to make Nexus intuitive, but I often wonder if enough people know about some of the features offered as part of the base project.  Here are some of the features I would have highlighted in any comparison.

Read more…

Nexus, Sonatype Community, Nexus

In parts one and two of this series, I addressed several concerns raised on the Jboss wiki. In this post, I address several more topics. Read more…

Sonatype

In part one of this series, I addressed several concerns raised on the a Jboss wiki. In this post, I specifically focus on the issues raised with the release plugin.

The wiki states: Read more…

Sonatype