A groovy script to create Content Selectors, privileges, and roles programmatically via the Nexus Repository Manager 3 Scripting API.

nexus-repo-manager-privilege-example.groovy

import org.sonatype.nexus.common.entity.*
import org.sonatype.nexus.security.*
import org.sonatype.nexus.security.authz.*
import org.sonatype.nexus.selector.*

import com.google.common.collect.ImmutableMap

// use container.lookup to fetch internal APIs we need to use
def selectorManager = container.lookup(SelectorManager.class.name)
def securitySystem = container.lookup(SecuritySystem.class.name)
def authorizationManager = securitySystem.getAuthorizationManager('default')

// create content selector (if not already present)
def selectorConfig = new SelectorConfiguration(
    name: 'mycompany-custom-selector',
    type: 'jexl',
    description: 'selector for my custom package',
    attributes: ['expression': 'coordinate.groupId =^ "com.mycompany"']
)
if (selectorManager.browse().find { it -> it.name == selectorConfig.name } == null) {
  selectorManager.create(selectorConfig)
}

// create snapshot and release repositories
def snapshotName = "mycompany-maven-snapshots"
def releaseName = "mycompany-maven-releases"
repository.createMavenHosted(snapshotName, 'default', false,
    org.sonatype.nexus.repository.maven.VersionPolicy.SNAPSHOT,
    org.sonatype.nexus.repository.storage.WritePolicy.ALLOW)
repository.createMavenHosted(releaseName, 'default', false,
    org.sonatype.nexus.repository.maven.VersionPolicy.RELEASE,
    org.sonatype.nexus.repository.storage.WritePolicy.ALLOW_ONCE)

// create content selector privilege for release repo
def releaseProperties = ImmutableMap.builder()
  .put("content-selector", selectorConfig.name)
  .put("repository", releaseName)
  .put("actions", "browse,read,edit")
  .build()
def releasePrivilege = new org.sonatype.nexus.security.privilege.Privilege(
    id: "mycompany-release-priv",
    version: '',
    name: "mycompany-release-priv",
    description: "Content Selector Release privilege",
    type: "repository-content-selector",
    properties: releaseProperties
)
authorizationManager.addPrivilege(releasePrivilege)

// create content selector privilege for snapshot repo
def snapshotProperties = ImmutableMap.builder()
  .put("content-selector", selectorConfig.name)
  .put("repository", snapshotName)
  .put("actions", "browse,read,edit")
  .build()
def snapshotPrivilege = new org.sonatype.nexus.security.privilege.Privilege(
    id: "mycompany-snapshot-priv",
    version: '',
    name: "mycompany-snapshot-priv",
    description: "Content Selector Snapshot privilege",
    type: "repository-content-selector",
    properties: snapshotProperties
)
authorizationManager.addPrivilege(snapshotPrivilege)

// create a role with the snapshot and release privileges
def role = new org.sonatype.nexus.security.role.Role(
    roleId: "mycompany-role",
    source: "Nexus",
    name: "mycompany-role",
    description: "My Company Role",
    readOnly: false,
    privileges: [ snapshotPrivilege.id, releasePrivilege.id ],
    roles: []
)
authorizationManager.addRole(role)

// add a local user account with the role
security.addUser("devuser",
      "Delilah", "Developer",
      "[email protected]", true,
      "devpassword", [ role.roleId ])

For those who are using nexus version 3, you can use this updated scripte:

import groovy.json.JsonOutput;
import org.sonatype.nexus.common.entity.*;
import org.sonatype.nexus.security.*;
import org.sonatype.nexus.security.authz.*;
import org.sonatype.nexus.selector.*;

import com.google.common.collect.ImmutableMap;
def selectorManager = container.lookup(SelectorManager.class.name);
def securitySystem = container.lookup(SecuritySystem.class.name);
def authorizationManager = securitySystem.getAuthorizationManager('default');
def repoName = 'docker';

// A simple selector login to give access on docker repo on path /v2/
def selectorConfig = new OrientSelectorConfiguration(
    name: 'docker-selector-config',
    type: 'csel',
    description: 'Selector docker login',
    attributes: ['expression': 'path == \"/v2/\"']
);
// Create if does not exist
if (selectorManager.browse().find { it -> it.name == selectorConfig.name } == null) {
  selectorManager.create(selectorConfig);
};

// Repo properties to bind with the privilege. This will give read access only
def repoProperties = ImmutableMap.builder().put('contentSelector', selectorConfigLogin.name).put('repository', repoName).put('actions', 'read').build();

// Create a privilege with the defined properties
def repoPrivilege = new org.sonatype.nexus.security.privilege.Privilege(
    id: 'docker-login',
    version: 0,
    name: 'docker-login',
    description: 'Login privilege for docker repo',
    type: 'repository-content-selector',
    properties: repoProperties
);
authorizationManager.addPrivilege(repoPrivilege);

// Create Role with the privilege created above
def role = new org.sonatype.nexus.security.role.Role(
    roleId: 'docker-login-role',
    source: 'Nexus',
    name: 'docker-login-role',
    description: 'My Company Role',
    readOnly: false,
    privileges: [ repoPrivilege.id ],
    roles: []
);
authorizationManager.addRole(role);

// Finally add user
security.addUser('<username>', 'user', 'user', '<email>', true, '<password>', [ role.roleId ]);
JsonOutput.toJson([result : 'Successfully created all resources!']);