Resources Blog 1.0 Beta-5 Adds Role Based Security to the Nexus Maven ...

1.0 Beta-5 Adds Role Based Security to the Nexus Maven Repository Manager

We are pleased to announce the Beta-5 release of our Nexus Maven Repository Manager. This release brings the much awaited role based security to the popular tool.

The theory behind the security implementation is simple:

A user has one or more roles.

A role has one or more privilege and/or one or more

A privilege is related to a single REST operation and
method like create, update, delete, read. (http post,put,delete,read

In addition to this, we have introduced a new concept called
Repository Targets. A target is a set of regular expressions to match on a
path (exactly how the route rules work now). This allows you to define for
example a target called Apache Maven which is "org/apache/maven/.*"
You can then add a new privilege that relates to the target and controls the
CRUD operations for artifacts matching that path (the privilege can span
multiple repos if you want). You could thus delegate all control of org.apache.maven targets to a "Maven" team. In this way, you don't need to create separate repos for each logical division of your artifacts.

The system ships by default with permissions
created for

.* in all repos.

With the Repository Targets, you have fine grained control over every
action in the system. For example you could make a target that includes
everything except sources (.*(?!-sources)\.*) and assign that to one group while giving yet another group access to
everything. This means you can host your public and private artifacts in a single repository without giving up control of your private artifacts.

The security implementation is built on top of the Jsecurity framework, which means alternate realms can be swapped in to allow integration with ldap and other Enterprise security implementations. The Jsecurity team was extremely helpful and responsive to any issues during the integration, which was possible in a surprisingly short period of time (~1week). I highly recommend this framework for anyone needing quick role based security. (FWIW, Jsecurity is entering the Apache Incubator)

In addition to the security implementation, we reworked the ability to host Nexus behind Apache Httpd via Mod_Proxy. We still recommend using Nexus directly to leverage the native performance of Jetty, but realize that httpd is a fact of life in many organizations and strive to make it as painless as possible. You can read details about how to set that up here.

Beta-5 is our last planned stop along the march to 1.0. The 1.0 release will be comprised of various bug fixes and minor tweaks, including easing the upgrade process.

Take a look at the documentation and then grab your copy of Nexus today.

Picture of Brian Fox

Written by Brian Fox

Brian Fox is a software developer, innovator and entrepreneur. He is an active contributor within the open source development community, most prominently as a member of the Apache Software Foundation and former Chair of the Apache Maven project. As the CTO and co-founder of Sonatype, he is focused on building a platform for developers and DevOps professionals to build high-quality, secure applications with open source components.