0

I am using Nexus 3 as a docker repository and want to create a user that has only read-only access to a specific docker image (and its related tags)

For this I created a Content Selector with the following query (The name of the image is test for demonstration purposes): format == "docker" and path =~ "^(/v2/|/v2/library/)?(test(/.*)?)?$".

Then I created a Privilege with the action read, bound that to a role and added it to the user.

All is well, when I use the limited user I can fetch the image and not push. However, I can still pull images I should not be able to pull.

Consider the following: I create an image called testaaa:1 on the docker registry. Afterwards I docker login to the registry using my user with read-only access. I am suddenly able to pull docker pull hub.my-registry.com/testaaa:1 even though according to the query I should not be able to.

I tested the query in a Java Regex Tester, the query would not select testaaa. Am I missing something? I am having a hard time finding clues on this topic.

EDIT: Some more testing reveals that my user is actually able to pull all images from this registry. The Content Selector query I used is exactly the one suggested by the Sonatype documentation Content Selectors and Docker - REST API vs Docker Client

purzel
  • 138
  • 2
  • 15
  • 1
    Just to remove a possible misunderstanding: `read` image in docker/nexus world = user can pull (and I don't really understand in which case you would like to let a user know an image exists but not let him use it anyway). For the rest of your question, did you enable anonymous access to your nexus instance? In this case, anyone can read anything. See https://help.sonatype.com/repomanager3/nexus-repository-administration/user-authentication/anonymous-access) – Zeitounator May 05 '22 at 13:22
  • Read action allows a user to pull an image from the repository. To make sure I have not enabled anonymous access I looked into settings -> security -> Anonymous Access. The checkbox is unchecked – purzel May 05 '22 at 13:25
  • 1
    I usually limit users by namespaces, not by specific images (e.g. `path =^ "/v2/your_namespace/`") so I don't have much experience with that. But the regex in the documentation looks awkward as every single element is optional (so I guess it can match anything...). I suggest you try with: `path =~ "^/v2/(library/)?/test(/.*)?$"` And I'm quite sure you can even drop the `library` part of the uri on a private repository if you only use recent docker clients. – Zeitounator May 05 '22 at 13:47

1 Answers1

0

I have figured it out. The issue was not the Content Selector query, but a capability that I previously added. The capability granted any authenticated user the role nx-anonymous which lets anyone view any repository in Nexus. This meant that any authenticated user was allowed to read/pull any image from the repository.

This error was entirely on my part. In case anyone has similar issues go have a look in the Nexus Settings -> System -> Capabilities and check if there are any capabilities that give your users unwanted roles.

purzel
  • 138
  • 2
  • 15