Replies: 3 comments 2 replies
-
Hi, Maven packages inherit permissions from the repo that they're associated with. If an actor A has access to repositories X and Y, A also has access to the packages of X and Y. |
Beta Was this translation helpful? Give feedback.
-
Hi, that's OK
but why can I access the packages of repo Y through the URL of repo X?
For me that makes no sense - because at the end this behaves like all packages are visible and accessible from the root or organization level.
Proxying just one package with Nexus is not possible this way - because the technical user/token has access /read permissions to all repositories of course. Thus he sees all packages even if only one is being proxied.
Any Idea how to solve this? Creating new (technical) users with a new token that will be assigned each to only one repository doesnt sound like a scaling solution for me.
For my understanding it would be much clearer if User A can access only the packages-X of repo-X through URL to repo-X - but not through URL of repo-Y or any other repository he has access to.
Thx torsten
Von: Tina Heidinger ***@***.***>Gesendet: Donnerstag, Juni 6, 2024 11:16:21 AMAn: community/community ***@***.***>Cc: Torsten Reinhard ***@***.***>; Author ***@***.***>Betreff: Re: [community/community] Github Maven packages of private repositories are accessible through other repositories (Discussion #127423)
Hi, Maven packages inherit permissions from the repo that they're associated with. If an actor A has access to repositories X and Y, A also has access to the packages of X and Y.
—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you authored the thread.Message ID: ***@***.***>
|
Beta Was this translation helpful? Give feedback.
-
🕒 Discussion Activity Reminder 🕒 This Discussion has been labeled as dormant by an automated system for having no activity in the last 60 days. Please consider one the following actions: 1️⃣ Close as Out of Date: If the topic is no longer relevant, close the Discussion as 2️⃣ Provide More Information: Share additional details or context — or let the community know if you've found a solution on your own. 3️⃣ Mark a Reply as Answer: If your question has been answered by a reply, mark the most helpful reply as the solution. Note: This dormant notification will only apply to Discussions with the Thank you for helping bring this Discussion to a resolution! 💬 |
Beta Was this translation helpful? Give feedback.
-
Select Topic Area
Question
Body
Hi,
we have some Github (private) repositories, lets say
/path/to/github/myOrg/repo-A
/path/to/github/myOrg/repo-B
In the build of repo-A some packages were uploaded to this repository.
I´m now able to access /download these packages through
curl --user "myUser:${MY_TOKEN}" -OLv https://path/to/github/myOrg/repo-B/com/mycompany/mygroup/my-artifact-from-repo-A/4711/my-artifact-from-repo-A-4711-SNAPSHOT-main.pom
Why can I access packages from a private Repo A using the URL of repo B ?
Is there a way to "protect" these packages, so they are really only visible / accessible from their owning repo?
Background of this:
I have a Maven proxy configuration in Nexus to one Github package -but now all packages from my whole org are visible in Nexus - although I configured the proxy URL to https://path/to/github/myOrg/repo-A only.
From the documentation I would expect that packages inherit the visibility from their repo - so they should be "private" in my case.
Thanx for any advice on how to solve this.
Torsten
Beta Was this translation helpful? Give feedback.
All reactions