Skip to content

Instantly share code, notes, and snippets.

@nblair

nblair/nexus-repo-manager-privilege-example.groovy

Last active November 13, 2023 17:54
Show Gist options
  • Save nblair/1a0e05713c3edb7e5360c2b0222c7623 to your computer and use it in GitHub Desktop.
Save nblair/1a0e05713c3edb7e5360c2b0222c7623 to your computer and use it in GitHub Desktop.
Download ZIP
A groovy script to create Content Selectors, privileges, and roles programmatically via the Nexus Repository Manager 3 Scripting API.
Raw
nexus-repo-manager-privilege-example.groovy
import org.sonatype.nexus.common.entity.*
import org.sonatype.nexus.security.*
import org.sonatype.nexus.security.authz.*
import org.sonatype.nexus.selector.*
import com.google.common.collect.ImmutableMap
// use container.lookup to fetch internal APIs we need to use
def selectorManager = container.lookup(SelectorManager.class.name)
def securitySystem = container.lookup(SecuritySystem.class.name)
def authorizationManager = securitySystem.getAuthorizationManager('default')
// create content selector (if not already present)
def selectorConfig = new SelectorConfiguration(
name: 'mycompany-custom-selector',
type: 'jexl',
description: 'selector for my custom package',
attributes: ['expression': 'coordinate.groupId =^ "com.mycompany"']
)
if (selectorManager.browse().find { it -> it.name == selectorConfig.name } == null) {
selectorManager.create(selectorConfig)
}
// create snapshot and release repositories
def snapshotName = "mycompany-maven-snapshots"
def releaseName = "mycompany-maven-releases"
repository.createMavenHosted(snapshotName, 'default', false,
org.sonatype.nexus.repository.maven.VersionPolicy.SNAPSHOT,
org.sonatype.nexus.repository.storage.WritePolicy.ALLOW)
repository.createMavenHosted(releaseName, 'default', false,
org.sonatype.nexus.repository.maven.VersionPolicy.RELEASE,
org.sonatype.nexus.repository.storage.WritePolicy.ALLOW_ONCE)
// create content selector privilege for release repo
def releaseProperties = ImmutableMap.builder()
.put("content-selector", selectorConfig.name)
.put("repository", releaseName)
.put("actions", "browse,read,edit")
.build()
def releasePrivilege = new org.sonatype.nexus.security.privilege.Privilege(
id: "mycompany-release-priv",
version: '',
name: "mycompany-release-priv",
description: "Content Selector Release privilege",
type: "repository-content-selector",
properties: releaseProperties
)
authorizationManager.addPrivilege(releasePrivilege)
// create content selector privilege for snapshot repo
def snapshotProperties = ImmutableMap.builder()
.put("content-selector", selectorConfig.name)
.put("repository", snapshotName)
.put("actions", "browse,read,edit")
.build()
def snapshotPrivilege = new org.sonatype.nexus.security.privilege.Privilege(
id: "mycompany-snapshot-priv",
version: '',
name: "mycompany-snapshot-priv",
description: "Content Selector Snapshot privilege",
type: "repository-content-selector",
properties: snapshotProperties
)
authorizationManager.addPrivilege(snapshotPrivilege)
// create a role with the snapshot and release privileges
def role = new org.sonatype.nexus.security.role.Role(
roleId: "mycompany-role",
source: "Nexus",
name: "mycompany-role",
description: "My Company Role",
readOnly: false,
privileges: [ snapshotPrivilege.id, releasePrivilege.id ],
roles: []
)
authorizationManager.addRole(role)
// add a local user account with the role
security.addUser("devuser",
"Delilah", "Developer",
"companydev@mycompany.com", true,
"devpassword", [ role.roleId ])
@talha0324
Copy link

For those who are using nexus version 3, you can use this updated scripte:

import groovy.json.JsonOutput;
import org.sonatype.nexus.common.entity.*;
import org.sonatype.nexus.security.*;
import org.sonatype.nexus.security.authz.*;
import org.sonatype.nexus.selector.*;

import com.google.common.collect.ImmutableMap;
def selectorManager = container.lookup(SelectorManager.class.name);
def securitySystem = container.lookup(SecuritySystem.class.name);
def authorizationManager = securitySystem.getAuthorizationManager('default');
def repoName = 'docker';

// A simple selector login to give access on docker repo on path /v2/
def selectorConfig = new OrientSelectorConfiguration(
    name: 'docker-selector-config',
    type: 'csel',
    description: 'Selector docker login',
    attributes: ['expression': 'path == \"/v2/\"']
);
// Create if does not exist
if (selectorManager.browse().find { it -> it.name == selectorConfig.name } == null) {
  selectorManager.create(selectorConfig);
};

// Repo properties to bind with the privilege. This will give read access only
def repoProperties = ImmutableMap.builder().put('contentSelector', selectorConfigLogin.name).put('repository', repoName).put('actions', 'read').build();

// Create a privilege with the defined properties
def repoPrivilege = new org.sonatype.nexus.security.privilege.Privilege(
    id: 'docker-login',
    version: 0,
    name: 'docker-login',
    description: 'Login privilege for docker repo',
    type: 'repository-content-selector',
    properties: repoProperties
);
authorizationManager.addPrivilege(repoPrivilege);

// Create Role with the privilege created above
def role = new org.sonatype.nexus.security.role.Role(
    roleId: 'docker-login-role',
    source: 'Nexus',
    name: 'docker-login-role',
    description: 'My Company Role',
    readOnly: false,
    privileges: [ repoPrivilege.id ],
    roles: []
);
authorizationManager.addRole(role);

// Finally add user
security.addUser('<username>', 'user', 'user', '<email>', true, '<password>', [ role.roleId ]);
JsonOutput.toJson([result : 'Successfully created all resources!']);

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment