A groovy script to create Content Selectors, privileges, and roles programmatically via the Nexus Repository Manager 3 Scripting API.

nexus-repo-manager-privilege-example.groovy

import org.sonatype.nexus.common.entity.*
import org.sonatype.nexus.security.*
import org.sonatype.nexus.security.authz.*
import org.sonatype.nexus.selector.*

import com.google.common.collect.ImmutableMap

// use container.lookup to fetch internal APIs we need to use
def selectorManager = container.lookup(SelectorManager.class.name)
def securitySystem = container.lookup(SecuritySystem.class.name)
def authorizationManager = securitySystem.getAuthorizationManager('default')

// create content selector (if not already present)
def selectorConfig = new SelectorConfiguration(
    name: 'mycompany-custom-selector',
    type: 'jexl',
    description: 'selector for my custom package',
    attributes: ['expression': 'coordinate.groupId =^ "com.mycompany"']
)
if (selectorManager.browse().find { it -> it.name == selectorConfig.name } == null) {
  selectorManager.create(selectorConfig)
}

// create snapshot and release repositories
def snapshotName = "mycompany-maven-snapshots"
def releaseName = "mycompany-maven-releases"
repository.createMavenHosted(snapshotName, 'default', false,
    org.sonatype.nexus.repository.maven.VersionPolicy.SNAPSHOT,
    org.sonatype.nexus.repository.storage.WritePolicy.ALLOW)
repository.createMavenHosted(releaseName, 'default', false,
    org.sonatype.nexus.repository.maven.VersionPolicy.RELEASE,
    org.sonatype.nexus.repository.storage.WritePolicy.ALLOW_ONCE)

// create content selector privilege for release repo
def releaseProperties = ImmutableMap.builder()
  .put("content-selector", selectorConfig.name)
  .put("repository", releaseName)
  .put("actions", "browse,read,edit")
  .build()
def releasePrivilege = new org.sonatype.nexus.security.privilege.Privilege(
    id: "mycompany-release-priv",
    version: '',
    name: "mycompany-release-priv",
    description: "Content Selector Release privilege",
    type: "repository-content-selector",
    properties: releaseProperties
)
authorizationManager.addPrivilege(releasePrivilege)

// create content selector privilege for snapshot repo
def snapshotProperties = ImmutableMap.builder()
  .put("content-selector", selectorConfig.name)
  .put("repository", snapshotName)
  .put("actions", "browse,read,edit")
  .build()
def snapshotPrivilege = new org.sonatype.nexus.security.privilege.Privilege(
    id: "mycompany-snapshot-priv",
    version: '',
    name: "mycompany-snapshot-priv",
    description: "Content Selector Snapshot privilege",
    type: "repository-content-selector",
    properties: snapshotProperties
)
authorizationManager.addPrivilege(snapshotPrivilege)

// create a role with the snapshot and release privileges
def role = new org.sonatype.nexus.security.role.Role(
    roleId: "mycompany-role",
    source: "Nexus",
    name: "mycompany-role",
    description: "My Company Role",
    readOnly: false,
    privileges: [ snapshotPrivilege.id, releasePrivilege.id ],
    roles: []
)
authorizationManager.addRole(role)

// add a local user account with the role
security.addUser("devuser",
      "Delilah", "Developer",
      "[email protected]", true,
      "devpassword", [ role.roleId ])

Thanks for this. It was a great head start.

Two changes:

1. JXEL was replaced with CSEL
   def selectorConfig = new SelectorConfiguration(
   name: 'mycompany-custom-selector',
   type: 'csel',
   description: 'selector for my custom package',
   attributes: ['expression': 'coordinate.groupId =^ "com.mycompany"']

2. The key content-selector is now contentSelector

@mschaefers Probably way too late, but here is:

1. a script to provision ldap
2. a script to provision roles to existing ldap users

These scripts are part of an ansible role used to install and provision nexus3. The structure of the expected json parameters is documented in the README

For those who are using nexus version 3, you can use this updated scripte:

import groovy.json.JsonOutput;
import org.sonatype.nexus.common.entity.*;
import org.sonatype.nexus.security.*;
import org.sonatype.nexus.security.authz.*;
import org.sonatype.nexus.selector.*;

import com.google.common.collect.ImmutableMap;
def selectorManager = container.lookup(SelectorManager.class.name);
def securitySystem = container.lookup(SecuritySystem.class.name);
def authorizationManager = securitySystem.getAuthorizationManager('default');
def repoName = 'docker';

// A simple selector login to give access on docker repo on path /v2/
def selectorConfig = new OrientSelectorConfiguration(
    name: 'docker-selector-config',
    type: 'csel',
    description: 'Selector docker login',
    attributes: ['expression': 'path == \"/v2/\"']
);
// Create if does not exist
if (selectorManager.browse().find { it -> it.name == selectorConfig.name } == null) {
  selectorManager.create(selectorConfig);
};

// Repo properties to bind with the privilege. This will give read access only
def repoProperties = ImmutableMap.builder().put('contentSelector', selectorConfigLogin.name).put('repository', repoName).put('actions', 'read').build();

// Create a privilege with the defined properties
def repoPrivilege = new org.sonatype.nexus.security.privilege.Privilege(
    id: 'docker-login',
    version: 0,
    name: 'docker-login',
    description: 'Login privilege for docker repo',
    type: 'repository-content-selector',
    properties: repoProperties
);
authorizationManager.addPrivilege(repoPrivilege);

// Create Role with the privilege created above
def role = new org.sonatype.nexus.security.role.Role(
    roleId: 'docker-login-role',
    source: 'Nexus',
    name: 'docker-login-role',
    description: 'My Company Role',
    readOnly: false,
    privileges: [ repoPrivilege.id ],
    roles: []
);
authorizationManager.addRole(role);

// Finally add user
security.addUser('<username>', 'user', 'user', '<email>', true, '<password>', [ role.roleId ]);
JsonOutput.toJson([result : 'Successfully created all resources!']);