Nexus docker repository - anonymous access to selected artefacts

Question

Use case: allow to pull selected (e.g. tagged as *-public) Docker Images anonymously. Otherwise credentials are required.

Given: latest Nexus 3.52.0, it works with a docker login and LDAP credentials without issues.

Tried:

• Selector + Privilege + Role (all named docker-images-public) > given to use "anonymous", "Anonymous Access" enabled, with same user and Local Authorizing Realm.
• Result: Error response from daemon: Get https://HOST/v2/infrastructure/IMAGE/manifests/VERSION-public: no basic auth credentials Expected: ability to docker pull images, that match content selector (e.g. ".*-public")

Additionally tried:

1. enabling TRACE log level in log

   Result: a lot of output, but without specific reason for denial (at least I didn't see). One of strings: DEBUG [qtp194038341-106] *UNKNOWN org.sonatype.nexus.repository.view.Router - Response: Response{status=Status{successful=false, code=401, message='null'}, payload=StringPayload{size=113, charset=UTF-8, contentType='application/json'}}

2. without Nginx in front (e.g. docker pull HOST:5000/IMAGE:VERSION-public, via HTTP)

   Result: same. Reason: seen StackOverflow answers mentioning Auth header modification. Wanted to exclude Nginx from equation completely.

3. simplyfing selector

   Selector is format == "docker" && ( path == "/v2/" || path =~ ".*public" || path == "/v2/.*") Selector was modified in few attempts, including advise from https://stackoverflow.com/questions/43354352/nexus-docker-and-restricting-access-via-content-selector (most probably not ) However, the error is not about selector, as the error stays the same even with format == "docker" && path =~ ".*"

4. Giving anonymous user nx-admin role

   Result: same error, so the reason is not in anonymous permissions

5. Activating Docker Bearer Token Realm, as per https://help.sonatype.com/repomanager3/nexus-repository-administration/formats/docker-registry/docker-authentication

   Result: same error

6. Enabling Anonymous access on Repository level (checkbox "Allow anonymous docker pull ( Docker Bearer Token Realm required )")

   Result: whole repository can be be accessed anonymously. Will NOT do.

The only other alternative here I see is to create a separate docker repository on different port ONLY for public anonymous access.

Answer 1

Missing part was: removing default nx-anonymous role from anonymous user, that allowed it to pull whole repository.

In general, configuration:

1. Create Selector format == "docker" && path =~ ".*-public" + Privilege + Role (all named docker-images-public)
2. #admin/security/realms - activate Docker Bearer Token Realm
3. #admin/repository/repositories:docker-repository, enable checkbox Allow anonymous docker pull ( Docker Bearer Token Realm required ) for docker repository
4. #admin/security/users:anonymous

• remove nx-anonymous role from user anonymous, that granted access to pull all images
• grant new docker-images-public role