Skip to content

Latest commit

 

History

History
225 lines (168 loc) · 8.17 KB

configuring-nexus-proxy.md

File metadata and controls

225 lines (168 loc) · 8.17 KB

Configuring nexus-proxy GCP IAM Authentication

Table of Contents

Pre-Requisites

Enabling GCP IAM authentication in nexus-proxy requires:

  • Access to the Google Cloud Resource Manager API.
  • An OAuth consent screen and client ID to be configured.
  • A Java keystore to sign user tokens (JWT) to be created.

This document walks through the setup of each of these requirements in detail.

ATTENTION: For users to authenticate, they must be part of the GCP organization and must use their respective email address as the username. Each user must also have "Organization Viewer" permissions at organization-level (i.e., in the "IAM & Admin" section of the organization in the GCP UI), otherwise they won't be able to authenticate. For more details, consult the proxy requirements.

For one to enable the Cloud Resource Manager API, one must:

  1. Go to "Google Cloud Platform > APIs & services > Library".
  2. Search for "Google Cloud Resource Manager API" and click the link in the results box.
  3. Click the "Enable" button.

For one to configure the OAuth consent screen, one must:

  1. Go to "Google Cloud Platform > APIs & services > Credentials".
  2. Click "OAuth consent screen".
  3. Fill in the form with appropriate values (e.g., Nexus Repository Manager in Product name shown to users).
  4. Click "Save".

For one to create an OAuth Client ID, one must:

  1. Go to "Google Cloud Platform > APIs & services > Credentials".
  2. Click "Create Credentials > OAuth client ID".
  3. Select "Web application".
  4. Under "Name" specify "nexus-proxy".
  5. Under "Authorized JavaScript origins" add all the URLs one may be using to access Nexus (e.g. both http://nexus.example.com and https://nexus.example.com).
  6. Under "Authorized redirect URIs" add the HTTPS variant of the URL suffixed with /oauth/callback (e.g., https://nexus.example.com/oauth/callback).
  7. Take note of the resulting client ID and client secret.

A Java keystore is needed in order for the proxy to sign user tokens (JWT). One must create the keystore as follows:

$ keytool -genkey \
          -keystore keystore.jceks \
          -storetype jceks \
          -keyalg RSA \
          -keysize 2048 \
          -alias RS256 \
          -sigalg SHA256withRSA \
          -dname "CN=,OU=,O=,L=,ST=,C=" \
          -validity 3651

When prompted for two passwords, one must make sure the passwords match. Also, one is free to change the value of the dname, keystore and validity parameters. For further details please refer to travelaudience/nexus-proxy.

After creating the keystore, it must be made available to the Kubernetes cluster, as follows:

  1. Run the following command replacing, /path/to/keystore.jceks and KEYSTORE_PASSWORD with the path to the keystore file created and the password chosen for the keystore, respectively:

    $ cat << EOF > nexus-proxy-ks-secret.yaml
    apiVersion: v1
    kind: Secret
    metadata:
      name: nexus-proxy-ks
    type: Opaque
    data:
      keystore: $(cat /path/to/keystore.jceks | base64)
      password: $(echo -n KEYSTORE_PASSWORD | base64)
    EOF

    This will create a Kubernetes secret containing the keystore file and the password, ready to be imported into the cluster and be accessible by Nexus.

  2. Create the secret, as follows:

    $ kubectl create -f nexus-proxy-ks-secret.yaml

In order to enable GCP IAM authentication for Nexus, one must first create the "Rut Auth" capability in the Nexus administration page, as follows:

  1. Inside Nexus, go to "Server Administration and Configuration > System > Capabilities".

rut-auth-capability-1

  1. Click "Create capability" and choose "Rut Auth" on the list.

rut-auth-capability-2

  1. When asked for "HTTP Header Name" enter X-Forwarded-User.

rut-auth-capability-3

  1. Click "Create capability".

Then, one must edit the nexus-iam-statefulset.yaml descriptor, as follows:

  1. Set the value of CLOUD_IAM_AUTH_ENABLED to "true".
  2. Set the value of CLIENT_ID to the value obtained in the last step of Create an OAuth Client ID.
  3. Set the value of CLIENT_SECRET to the value obtained in the last step of Create an OAuth Client ID.
  4. Set the value of ORGANIZATION_ID according to the desired authentication organization.
    • One can find this value by running gcloud organizations list.
  5. Set the value of REDIRECT_URL, e.g. https://nexus.example.com/oauth/callback.
  6. Adjust the values of AUTH_CACHE_TTL and SESSION_TTL according to one's needs.
    • Further description of these variables can be found here.

ATTENTION: The value of the NEXUS_RUT_HEADER variable must match the value defined in the "HTTP Header Name" field of the "Rut Auth" capability in the Nexus configuration. If one has chosen a different value in step (3) above, one must also update the value of this variable accordingly.

Deploying

  1. If one hasn't done so, one must run kubectl create -f nexus-proxy-ks-secret.yaml.
  2. Proceed as indicated in Deploying Nexus, using nexus-iam-statefulset.yaml instead of nexus-statefulset.yaml.

When Google Cloud IAM authentication is enabled and one first browses Nexus, a consent screen asking for a few permissions will be presented. One must click "Allow" for the authentication process to succeed. This consent screen may continue to pop-up from time to time.

ATTENTION: A Google log-in page may appear before the abovementioned consent screen. One must use their organization credentials to log-in before proceeding.

Using Command-Line Tools

For security reasons, the proxy and tools such as Maven or Docker shouldn't store and use GCP organization credentials. The same credentials are used solely within GCP domain. Therefore one needs a specific set of credentials that can be used to authorize access to Nexus repositories. After logging-in, these per-user credentials can be queried at https://nexus.example.com/cli/credentials.

If authentication with Google Cloud IAM is successful, a result like follows is returned:

{
    "username": "[email protected]",
    "password": "eyJ0eXA(...)"
}

These are the credentials one will use when setting-up their tools. Here's one example when configuring Docker:

$ docker login containers.example.com
Username: [email protected]
Password: eyJ0eXA(...) # Input will be hidden.
Login Suceeded

ATTENTION: The credentials obtained through this process are valid for one year, but will expire before that period if membership within the organization is revoked. When credentials expire, the user must request them them as described above.

ATTENTION: Every visit to https://nexus.example.com/cli/credentials will return a new authentication token, as the creation and expiration dates are encoded in the token itself. One may use different tokens in different tools but must be aware that these tokens will expire at different moments.