This plugin adds a Crowd realm to Sonatype Nexus OSS and enables you to authenticate with Crowd Users and authorize with crowd roles.
It works with Nexus 3.x and Crowd 2.x and 3.x
When Nexus gets downloaded and unzipped, there are typically two directories created:
- nexus-3.13.0-01
- sonatype-work/nexus3
To avoid confusion, the conventions of the Sonatype reference will be used in the following descriptions:
- nexus-3.13.0-01 will be referred to as $install-dir
- sonatype-work/nexus3 will be referred to as $data-dir
See https://books.sonatype.com/nexus-book/reference3/install.html#directories for reference.
FROM sonatype/nexus3
USER root
# Install curl
RUN yum install -y curl
# Download crowd plugin
RUN curl -L https://github.com/pingunaut/nexus3-crowd-plugin/releases/download/nexus3-crowd-plugin-3.5.0/nexus3-crowd-plugin-3.5.0.jar --output /opt/sonatype/nexus/system/nexus3-crowd-plugin.jar
# Install plugin
RUN echo "reference\:file\:nexus3-crowd-plugin.jar = 200" >> /opt/sonatype/nexus/etc/karaf/startup.properties
# Add Crowd Config
RUN touch /opt/sonatype/nexus/etc/crowd.properties
RUN echo "crowd.server.url=jira.example.com" >> /opt/sonatype/nexus/etc/crowd.properties
RUN echo "application.name=nexus" >> /opt/sonatype/nexus/etc/crowd.properties
RUN echo "application.password=nexus" >> /opt/sonatype/nexus/etc/crowd.properties
RUN echo "cache.authentication=false" >> /opt/sonatype/nexus/etc/crowd.properties
# setup permissions
RUN chown nexus:nexus -R /opt/sonatype/nexus
USER nexus
docker build -t test .
docker run --rm -ti test
- JDK 8 is installed
- Sonatype Nexus OSS 3.x is installed
Releases can be found here: https://github.com/pingunaut/nexus3-crowd-plugin/releases
cd $install-dir/system/
wget https://github.com/pingunaut/nexus3-crowd-plugin/releases/download/nexus3-crowd-plugin-3.5.0/nexus3-crowd-plugin-3.5.0.jar
Append the following line to startup.properties file found in $install-dir/etc/karaf
reference\:file\:nexus3-crowd-plugin-3.5.0.jar = 200
Create a crowd.properties file in $install-dir/etc
The file has to contain the following properties:
crowd.server.url=http://localhost:8095/crowd (replace by your crowd url)
application.name=nexus (replace by your nexus application name configured in crowd)
application.password=nexus (replace by your nexus application password configured in crowd)
cache.authentication=false (should authentication be cached? default is false)
After installation you have to activate the plugin in the administration frontend. You have to login with an administrative nexus account to do so. The default admin credentials are
- username: admin
- password: admin123 (don't forget to change it!)
After login you can navigate to the realm administration. Activate the plugin by dragging it to the right hand side:
As a last step you have to map your crowd groups to nexus internal roles. A good starting point is mapping one crowd group to nx-admin role, so you can start managing Nexus with your Crowd Login.
- Choose a crowd group
- Think up a new unique name for the mapped role
- Add nx-admin to the contained roles
That's it. You should no be able to logout and login with your Crowd user (provided that your Crowd user is in one of you previously mapped groups).
Remark: Caching can improve authentication performance significantly by moving credential validation into memory instead of requesting it from the crowd server every time. However if cache.authentication is set to true, a hashed version of user credentials will be cached. This might be a security risk and is also the reason why this property defaults to false.
Build and install the into your local maven repository using the following commands:
git clone https://github.com/pingunaut/nexus3-crowd-plugin.git
cd nexus3-crowd-plugin
mvn install
Move into your $install-dir. Edit the file bin/nexus.vmoptions to contain the following line
-Dkaraf.startLocalConsole=true
After that (re-)start nexus. It will then startup with an interactive console enabled. (If the console doesn't show up, you may hit the Enter key after startup). Your console should look like this afterwards:
karaf@root()>
Within the console just type
bundle:install -s file://ABSOLUTE_PATH_TO_YOUR_JAR
Thanks to all contributors who helped to get this up and running