Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
A groovy script to create Content Selectors, privileges, and roles programmatically via the Nexus Repository Manager 3 Scripting API.
import org.sonatype.nexus.common.entity.*
import org.sonatype.nexus.security.*
import org.sonatype.nexus.security.authz.*
import org.sonatype.nexus.selector.*
import com.google.common.collect.ImmutableMap
// use container.lookup to fetch internal APIs we need to use
def selectorManager = container.lookup(SelectorManager.class.name)
def securitySystem = container.lookup(SecuritySystem.class.name)
def authorizationManager = securitySystem.getAuthorizationManager('default')
// create content selector (if not already present)
def selectorConfig = new SelectorConfiguration(
name: 'mycompany-custom-selector',
type: 'jexl',
description: 'selector for my custom package',
attributes: ['expression': 'coordinate.groupId =^ "com.mycompany"']
)
if (selectorManager.browse().find { it -> it.name == selectorConfig.name } == null) {
selectorManager.create(selectorConfig)
}
// create snapshot and release repositories
def snapshotName = "mycompany-maven-snapshots"
def releaseName = "mycompany-maven-releases"
repository.createMavenHosted(snapshotName, 'default', false,
org.sonatype.nexus.repository.maven.VersionPolicy.SNAPSHOT,
org.sonatype.nexus.repository.storage.WritePolicy.ALLOW)
repository.createMavenHosted(releaseName, 'default', false,
org.sonatype.nexus.repository.maven.VersionPolicy.RELEASE,
org.sonatype.nexus.repository.storage.WritePolicy.ALLOW_ONCE)
// create content selector privilege for release repo
def releaseProperties = ImmutableMap.builder()
.put("content-selector", selectorConfig.name)
.put("repository", releaseName)
.put("actions", "browse,read,edit")
.build()
def releasePrivilege = new org.sonatype.nexus.security.privilege.Privilege(
id: "mycompany-release-priv",
version: '',
name: "mycompany-release-priv",
description: "Content Selector Release privilege",
type: "repository-content-selector",
properties: releaseProperties
)
authorizationManager.addPrivilege(releasePrivilege)
// create content selector privilege for snapshot repo
def snapshotProperties = ImmutableMap.builder()
.put("content-selector", selectorConfig.name)
.put("repository", snapshotName)
.put("actions", "browse,read,edit")
.build()
def snapshotPrivilege = new org.sonatype.nexus.security.privilege.Privilege(
id: "mycompany-snapshot-priv",
version: '',
name: "mycompany-snapshot-priv",
description: "Content Selector Snapshot privilege",
type: "repository-content-selector",
properties: snapshotProperties
)
authorizationManager.addPrivilege(snapshotPrivilege)
// create a role with the snapshot and release privileges
def role = new org.sonatype.nexus.security.role.Role(
roleId: "mycompany-role",
source: "Nexus",
name: "mycompany-role",
description: "My Company Role",
readOnly: false,
privileges: [ snapshotPrivilege.id, releasePrivilege.id ],
roles: []
)
authorizationManager.addRole(role)
// add a local user account with the role
security.addUser("devuser",
"Delilah", "Developer",
"companydev@mycompany.com", true,
"devpassword", [ role.roleId ])
@mschaefers
Copy link

mschaefers commented Nov 13, 2017

Cool script. Do you happen to have some example about provisioning LDAP authentication via groovy? Thx, Michael

@jscatala
Copy link

jscatala commented Jan 14, 2018

cool! do you know how to assign a role to an already created user? in this case an ldap user

@boyarsky
Copy link

boyarsky commented Sep 9, 2018

Thanks for this. It was a great head start.

Two changes:

  1. JXEL was replaced with CSEL
    def selectorConfig = new SelectorConfiguration(
    name: 'mycompany-custom-selector',
    type: 'csel',
    description: 'selector for my custom package',
    attributes: ['expression': 'coordinate.groupId =^ "com.mycompany"']

  2. The key content-selector is now contentSelector

@zeitounator
Copy link

zeitounator commented Mar 17, 2019

@mschaefers Probably way too late, but here is:

  1. a script to provision ldap
  2. a script to provision roles to existing ldap users

These scripts are part of an ansible role used to install and provision nexus3. The structure of the expected json parameters is documented in the README

@talha0324
Copy link

talha0324 commented Apr 27, 2021

For those who are using nexus version 3, you can use this updated scripte:

import groovy.json.JsonOutput;
import org.sonatype.nexus.common.entity.*;
import org.sonatype.nexus.security.*;
import org.sonatype.nexus.security.authz.*;
import org.sonatype.nexus.selector.*;

import com.google.common.collect.ImmutableMap;
def selectorManager = container.lookup(SelectorManager.class.name);
def securitySystem = container.lookup(SecuritySystem.class.name);
def authorizationManager = securitySystem.getAuthorizationManager('default');
def repoName = 'docker';

// A simple selector login to give access on docker repo on path /v2/
def selectorConfig = new OrientSelectorConfiguration(
    name: 'docker-selector-config',
    type: 'csel',
    description: 'Selector docker login',
    attributes: ['expression': 'path == \"/v2/\"']
);
// Create if does not exist
if (selectorManager.browse().find { it -> it.name == selectorConfig.name } == null) {
  selectorManager.create(selectorConfig);
};

// Repo properties to bind with the privilege. This will give read access only
def repoProperties = ImmutableMap.builder().put('contentSelector', selectorConfigLogin.name).put('repository', repoName).put('actions', 'read').build();

// Create a privilege with the defined properties
def repoPrivilege = new org.sonatype.nexus.security.privilege.Privilege(
    id: 'docker-login',
    version: 0,
    name: 'docker-login',
    description: 'Login privilege for docker repo',
    type: 'repository-content-selector',
    properties: repoProperties
);
authorizationManager.addPrivilege(repoPrivilege);

// Create Role with the privilege created above
def role = new org.sonatype.nexus.security.role.Role(
    roleId: 'docker-login-role',
    source: 'Nexus',
    name: 'docker-login-role',
    description: 'My Company Role',
    readOnly: false,
    privileges: [ repoPrivilege.id ],
    roles: []
);
authorizationManager.addRole(role);

// Finally add user
security.addUser('<username>', 'user', 'user', '<email>', true, '<password>', [ role.roleId ]);
JsonOutput.toJson([result : 'Successfully created all resources!']);

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment