News and Notes from the Makers of Nexus | Sonatype Blog

1.0 Beta-5 Adds Role Based Security to the Nexus Maven Repository Manager

Written by Brian Fox | August 12, 2008

We are pleased to announce the Beta-5 release of our Nexus Maven Repository Manager. This release brings the much awaited role based security to the popular tool.

The theory behind the security implementation is simple:

A user has one or more roles.

A role has one or more privilege and/or one or more
roles.

A privilege is related to a single REST operation and
method like create, update, delete, read. (http post,put,delete,read
respectively)

In addition to this, we have introduced a new concept called
Repository Targets. A target is a set of regular expressions to match on a
path (exactly how the route rules work now). This allows you to define for
example a target called Apache Maven which is "org/apache/maven/.*"
You can then add a new privilege that relates to the target and controls the
CRUD operations for artifacts matching that path (the privilege can span
multiple repos if you want). You could thus delegate all control of org.apache.maven targets to a "Maven" team. In this way, you don't need to create separate repos for each logical division of your artifacts.

The system ships by default with permissions
created for

.* in all repos.

With the Repository Targets, you have fine grained control over every
action in the system. For example you could make a target that includes
everything except sources (.*(?!-sources)\.*) and assign that to one group while giving yet another group access to
everything. This means you can host your public and private artifacts in a single repository without giving up control of your private artifacts.

The security implementation is built on top of the Jsecurity framework, which means alternate realms can be swapped in to allow integration with ldap and other Enterprise security implementations. The Jsecurity team was extremely helpful and responsive to any issues during the integration, which was possible in a surprisingly short period of time (~1week). I highly recommend this framework for anyone needing quick role based security. (FWIW, Jsecurity is entering the Apache Incubator)

In addition to the security implementation, we reworked the ability to host Nexus behind Apache Httpd via Mod_Proxy. We still recommend using Nexus directly to leverage the native performance of Jetty, but realize that httpd is a fact of life in many organizations and strive to make it as painless as possible. You can read details about how to set that up here.

Beta-5 is our last planned stop along the march to 1.0. The 1.0 release will be comprised of various bug fixes and minor tweaks, including easing the upgrade process.

Take a look at the documentation and then grab your copy of Nexus today.