0

I am willing to create a private maven repository, where the access rules are not based on groups/patterns, but on completely custom rules. I've checked both nexus and jfrog, both of them keeping the simple user/group/pattern approach. And (AFAICS), although they provide custom ways to authenticate, they don't provide a was for custom access rules.

For this reason I have started thinking the opposite: what if I can create a simple repository with my custom rules. But when I searched in the Apache documentation, there was no clear explanation how authentication is performed on the back side.

Does anyone knows how this is done, and maybe point me to the correct documentation?

Panayotis
  • 1,792
  • 23
  • 32
  • You can of course make access rules to particular areas of a repository if you need, but usually this is not necessary. If you really need a limited access make a separate repository in Nexus for example...BTW: What exactly do you understand under `custom access rules...`? – khmarbaise Sep 03 '17 at 13:34
  • That's the problem, the distribution of artifacts is so complicated that creating a custom rule or even worse a custom repository is impossible. Practically every user should have it's own repositories which might change at any time. – Panayotis Sep 03 '17 at 13:36
  • A repository for each user does not make sense, cause the artifacts are separated by their coordinates. What exactly is the problem here by using the coordinates to separate the artifacts ? Why do you need on a user base such thing? What is soo complicated to distribute artifacts? To where ? Maven Central to your own local repository ? – khmarbaise Sep 03 '17 at 13:42
  • To a private repository where each user can see a arbitrary number of artifacts, not all of them, not organized, not in a tree of some sort. – Panayotis Sep 03 '17 at 13:45

2 Answers2

1

Authentication is done by HTTP Basic Authentication which basically concats the username and password and base64 encodes that. So Maven and Apache do understand each other.

But out of the box the Apache authorization is based on, you guessed, it. Directories (which represent Maven's artifact groups), username and groups. So unless you are willing to write a custom Apache model you won't gain a lot. Probably IP based access control can be done with Apache alone better than with Nexus/JFrog but I haven't looked at the authentication settings for ages.

fhossfel
  • 2,041
  • 16
  • 24
  • I was talking about authorization serve side. What do you mean with apache model? (and yes, I am willing to write some code of course) – Panayotis Sep 03 '17 at 10:07
  • I thought you wanted to upload you repository to an Apache server and then serve it as static content. That would definitely work but the authentication will be less flexible than Nexus/JFrog. – fhossfel Sep 03 '17 at 10:10
  • Apache web server you mean? Probably yes, this is were it would end up with some custom PHP scripts.Right now JFrog/Nexus are not a real solution to the problem. When you say that they support more authentication mechanisms, I am more worried what the maven "client" itself provides to the server. Is it really only basic HTTP/HTTPS authentication and nothing more? – Panayotis Sep 03 '17 at 10:37
  • Yes. I don't know if you can use NTLM etc. if Java and the web server both support it but Maven is definitely based on HTTP Basic auth. – fhossfel Sep 03 '17 at 12:10
0

In Artifactory what you can do, in order to achieve what you mentioned, is to create permission target per user. Meaning that all of your Maven users will deploy to the same repository BUT each to a different name space. For example, 'com/{company}/{project}/' (please replace the company and project with real values)

This is done on the permission target using the 'Include Pattern' so let's say that my company name is JFrog, and I'm working on a project named 'artifactory' I will have a permission target with the following include pattern '/com/jfrog/artifactory/**/*'.

You can also create those permission targets using a script that will automate it for you using this REST API.

That means that I will only be able to reach this namespace. Does that help?

Ariel
  • 3,406
  • 14
  • 17
  • I am more trying to find out how it really works, i.e. what maven really does - not how this is handled by a higher level abstraction of ready tools. – Panayotis Sep 16 '17 at 22:53
  • Maven, by default, will try to resolve the artifacts anonymously, unless specified otherwise. Now in case that the repository that it reaches requires authentication it will receive a challenge and will respond with providing username and password from the 'settings.xml' file. You can also have Maven to authenticate preemptively by configuring it, making it provide the details from the first request. – Ariel Sep 17 '17 at 05:52