This plugin adds the ability for building a configuraiton file that defines which users have which roles based on their DN when using x509 two-way SSL authentication.
Should work with Nexus version 3.2.1 and newer (only tested with version 3.7.1)
A yaml file is used to make the roles to DNs:
nx-admin:
- CN=Firstname Lastname, OU=Unknown, O=Unknown, L=Annapolis Junction, ST=MD, C=US
nx-deploy:
- CN=Firstname Lastname, OU=Unknown, O=Unknown, L=Annapolis Junction, ST=MD, C=US
- CN=Firstname Lastname2, OU=Unknown, O=Unknown, L=Annapolis Junction, ST=MD, C=US
For the following commands we assume your nexus installation resides in /opt/sonatype/nexus. See https://books.sonatype.com/nexus-book/reference3/install.html#directories for reference.
The following lines will:
- create a directory in the
nexus/kafkamaven repository - download the latest release from github
- unzip the releae to the maven repository
- add the plugin to the
karafstartup.properties.
mkdir -p /opt/sonatype/nexus/system/com/github/vincentrussell/ &&\
wget -O /opt/sonatype/nexus/system/com/github/vincentrussell/nexus3-x509-dn-security-plugin.zip https://github.com/vincentrussell/nexus3-x509-dn-security-plugin/releases/download/1.1/nexus3-x509-dn-security-plugin.zip &&\
unzip /opt/sonatype/nexus/system/com/github/vincentrussell/nexus3-x509-dn-security-plugin.zip -d /opt/sonatype/nexus/system/com/github/vincentrussell/ &&\
echo "reference\:file\:com/github/vincentrussell/nexus3-x509-dn-security-plugin/1.1/nexus3-x509-dn-security-plugin-1.1.jar = 200" >> /opt/sonatype/nexus/etc/karaf/startup.propertiesCreate /opt/sonatype/nexus/etc/x509-dn-security-config.yaml
Set the system property (X509DnAuthenticatingRealm.config.file) to point to that file:
The easiest way is to modify (/opt/sonatype/nexus/bin/nexus.vmoptions) and add:
-DX509DnAuthenticatingRealm.config.file=/opt/sonatype/nexus/etc/x509-dn-security-config.yaml
Restart your Nexus instance to let it pick up your changes.
Log in to your nexus and go to Administration > Security > Realms. Move the X509-Dn Authenticating Realm to the right. The realm order in the form determines the order of the realms in your authentication flow. We recommend putting X509-Dn Authenticating Realm after the built-in realms.
- brew install docker-machine
- brew install docker
- docker-machine create --driver virtualbox nexus3-x509-oath-plugin
- docker-machine env nexus3-x509-oath-plugin
- eval "$(docker-machine env nexus3-x509-oath-plugin)"
You can build the project with the integrated maven wrapper like so: ./mvn clean package
docker build -t vincentrussell/nexus3-x509-oath-plugin .
docker run -p 8443:8443 -p 5005:5005 -it --rm vincentrussell/nexus3-x509-oath-plugin
You can build a ready to run docker image using the Dockerfile to quickly spin up a nexus with the plugin already preinstalled.
The whole project is heavily influenced by the nexus3-github-oauth-plugin.
1.1 (2018-04-02)
- expire cached auths after five mintues so that the server doesn't have to be restarted to respect changes to the config file
1.0 (2018-02-19)
Initial Release:
- Initial Capability