flopma
commented
11 years ago Hi Stefan, Would it be possible for you to try out version 2.3.1 of Nexus and report. I tested against that version but not yet on the latest. Maybe Patrick did.
Closed ststrobel closed 11 years ago
flopma
commented
11 years ago Hi Stefan, Would it be possible for you to try out version 2.3.1 of Nexus and report. I tested against that version but not yet on the latest. Maybe Patrick did.
ststrobel
commented
11 years ago Hi flopma, thanks for your answer. I just downloaded version 2.3.1 and installed it. Again the same issue. Login and permissions with external role mapping works fine, but not with external user role mapping. Something doesn't seem to like it. Maybe the new crowd version?
I configured three of my crowd users in Nexus using external user role mapping. I gave them Administrator rights. No luck. After configuring an external role mapping (which I gave base UI rights), my users could login, and they ONLY received the rights based on the role. So they did not have admin rights (although I defined it in their user configs).
flopma
commented
11 years ago Ah, then you might want to check this out with the sonatype team. Indeed if you assign privileges via a role (external) to a user, it will work. Assigning direct privileges or roles to a user (external) seems to be not possible. Please keep in mind that this plugin does not manage authorization, only authentication. Mapping between crowd groups and nexus roles must be done by hand (or via the REST API).
ststrobel
commented
11 years ago ok, thanks for the clarification. We decided to go with the external role mapping which works fine. This way we can map privileges to the crowd groups indirectly. It's still a good solution. Thanks!
vgshine
commented
8 years ago Hi Ststrobel,
Can you please help me get this clarified how the external role mapping works for you in automated way.I am facing issues in my case when I am trying to use "ldap" realm and mapping the external roles to internal nexus roles through an API.
how did you do that?
I'm using the plugin in version 2.0.7. Crowd is 2.6.4 and Nexus is running 2.6.0-05.
I followed your instructions and am able to do the following:
Using the external role mapping I am able to login and see what is defined in the mapping role. This works perfectly. However, the external user role mapping doesn't behave correctly. I can create it (it loads the user data from Crowd) and attach roles with privileges to it, but I can't login with that user. Login always tells me a failure. After enabling Debug mode for the logs, following appears:
org.sonatype.sisu.goodies.eventbus.internal.DefaultEventBus - Event 'NexusAuthenticationEvent{userId='bob',remoteIp='X.X.X.X',successful=true}' fired org.sonatype.nexus.plugins.crowd.client.rest.CachingRestClient - getNestedGroups(bob) from cache org.sonatype.security.usermanagement.xml.SecurityXmlUserManager - No user role mapping found for user: bob org.sonatype.sisu.goodies.eventbus.internal.DefaultEventBus - Event 'org.sonatype.nexus.auth.NexusAuthorizationEvent@1ccdcb16' fired boborg.sonatype.nexus.feeds.record.NexusAuthenticationEventInspector - Successfully authenticated user [bob] from IP address X.X.X.X org.sonatype.nexus.security.filter.authc.NexusSecureHttpAuthenticationFilter - Request processing is rejected because user "bob" lacks permissions. org.sonatype.nexus.feeds.record.NexusAuthorizationEventInspector - Unable to authorize user [bob] for read(HTTP method "GET") to /nexus/service/local/authentication/login from IP Address X.X.X.Xuser agent:"n/a"
So Nexus thinks, there is no external user role mapping? But it exists. What do you propose? Thanks