Last active
November 13, 2023 17:54
-
-
Save nblair/1a0e05713c3edb7e5360c2b0222c7623 to your computer and use it in GitHub Desktop.
A groovy script to create Content Selectors, privileges, and roles programmatically via the Nexus Repository Manager 3 Scripting API.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import org.sonatype.nexus.common.entity.* | |
| import org.sonatype.nexus.security.* | |
| import org.sonatype.nexus.security.authz.* | |
| import org.sonatype.nexus.selector.* | |
| import com.google.common.collect.ImmutableMap | |
| // use container.lookup to fetch internal APIs we need to use | |
| def selectorManager = container.lookup(SelectorManager.class.name) | |
| def securitySystem = container.lookup(SecuritySystem.class.name) | |
| def authorizationManager = securitySystem.getAuthorizationManager('default') | |
| // create content selector (if not already present) | |
| def selectorConfig = new SelectorConfiguration( | |
| name: 'mycompany-custom-selector', | |
| type: 'jexl', | |
| description: 'selector for my custom package', | |
| attributes: ['expression': 'coordinate.groupId =^ "com.mycompany"'] | |
| ) | |
| if (selectorManager.browse().find { it -> it.name == selectorConfig.name } == null) { | |
| selectorManager.create(selectorConfig) | |
| } | |
| // create snapshot and release repositories | |
| def snapshotName = "mycompany-maven-snapshots" | |
| def releaseName = "mycompany-maven-releases" | |
| repository.createMavenHosted(snapshotName, 'default', false, | |
| org.sonatype.nexus.repository.maven.VersionPolicy.SNAPSHOT, | |
| org.sonatype.nexus.repository.storage.WritePolicy.ALLOW) | |
| repository.createMavenHosted(releaseName, 'default', false, | |
| org.sonatype.nexus.repository.maven.VersionPolicy.RELEASE, | |
| org.sonatype.nexus.repository.storage.WritePolicy.ALLOW_ONCE) | |
| // create content selector privilege for release repo | |
| def releaseProperties = ImmutableMap.builder() | |
| .put("content-selector", selectorConfig.name) | |
| .put("repository", releaseName) | |
| .put("actions", "browse,read,edit") | |
| .build() | |
| def releasePrivilege = new org.sonatype.nexus.security.privilege.Privilege( | |
| id: "mycompany-release-priv", | |
| version: '', | |
| name: "mycompany-release-priv", | |
| description: "Content Selector Release privilege", | |
| type: "repository-content-selector", | |
| properties: releaseProperties | |
| ) | |
| authorizationManager.addPrivilege(releasePrivilege) | |
| // create content selector privilege for snapshot repo | |
| def snapshotProperties = ImmutableMap.builder() | |
| .put("content-selector", selectorConfig.name) | |
| .put("repository", snapshotName) | |
| .put("actions", "browse,read,edit") | |
| .build() | |
| def snapshotPrivilege = new org.sonatype.nexus.security.privilege.Privilege( | |
| id: "mycompany-snapshot-priv", | |
| version: '', | |
| name: "mycompany-snapshot-priv", | |
| description: "Content Selector Snapshot privilege", | |
| type: "repository-content-selector", | |
| properties: snapshotProperties | |
| ) | |
| authorizationManager.addPrivilege(snapshotPrivilege) | |
| // create a role with the snapshot and release privileges | |
| def role = new org.sonatype.nexus.security.role.Role( | |
| roleId: "mycompany-role", | |
| source: "Nexus", | |
| name: "mycompany-role", | |
| description: "My Company Role", | |
| readOnly: false, | |
| privileges: [ snapshotPrivilege.id, releasePrivilege.id ], | |
| roles: [] | |
| ) | |
| authorizationManager.addRole(role) | |
| // add a local user account with the role | |
| security.addUser("devuser", | |
| "Delilah", "Developer", | |
| "companydev@mycompany.com", true, | |
| "devpassword", [ role.roleId ]) |
cool! do you know how to assign a role to an already created user? in this case an ldap user
Thanks for this. It was a great head start.
Two changes:
-
JXEL was replaced with CSEL
def selectorConfig = new SelectorConfiguration(
name: 'mycompany-custom-selector',
type: 'csel',
description: 'selector for my custom package',
attributes: ['expression': 'coordinate.groupId =^ "com.mycompany"'] -
The key content-selector is now contentSelector
@mschaefers Probably way too late, but here is:
These scripts are part of an ansible role used to install and provision nexus3. The structure of the expected json parameters is documented in the README
For those who are using nexus version 3, you can use this updated scripte:
import groovy.json.JsonOutput;
import org.sonatype.nexus.common.entity.*;
import org.sonatype.nexus.security.*;
import org.sonatype.nexus.security.authz.*;
import org.sonatype.nexus.selector.*;
import com.google.common.collect.ImmutableMap;
def selectorManager = container.lookup(SelectorManager.class.name);
def securitySystem = container.lookup(SecuritySystem.class.name);
def authorizationManager = securitySystem.getAuthorizationManager('default');
def repoName = 'docker';
// A simple selector login to give access on docker repo on path /v2/
def selectorConfig = new OrientSelectorConfiguration(
name: 'docker-selector-config',
type: 'csel',
description: 'Selector docker login',
attributes: ['expression': 'path == \"/v2/\"']
);
// Create if does not exist
if (selectorManager.browse().find { it -> it.name == selectorConfig.name } == null) {
selectorManager.create(selectorConfig);
};
// Repo properties to bind with the privilege. This will give read access only
def repoProperties = ImmutableMap.builder().put('contentSelector', selectorConfigLogin.name).put('repository', repoName).put('actions', 'read').build();
// Create a privilege with the defined properties
def repoPrivilege = new org.sonatype.nexus.security.privilege.Privilege(
id: 'docker-login',
version: 0,
name: 'docker-login',
description: 'Login privilege for docker repo',
type: 'repository-content-selector',
properties: repoProperties
);
authorizationManager.addPrivilege(repoPrivilege);
// Create Role with the privilege created above
def role = new org.sonatype.nexus.security.role.Role(
roleId: 'docker-login-role',
source: 'Nexus',
name: 'docker-login-role',
description: 'My Company Role',
readOnly: false,
privileges: [ repoPrivilege.id ],
roles: []
);
authorizationManager.addRole(role);
// Finally add user
security.addUser('<username>', 'user', 'user', '<email>', true, '<password>', [ role.roleId ]);
JsonOutput.toJson([result : 'Successfully created all resources!']);
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Cool script. Do you happen to have some example about provisioning LDAP authentication via groovy? Thx, Michael