[SOLVED] How to limit content selector by docker tag in Sonatype Nexus3?

How to limit content selector by docker tag in Sonatype Nexus3?

How to only grant access to specific tags and specified namespaces in Sonatype Nexus3?

Solution

As an example, we will use an image with the name: docker.domain.com/namespace/image:1.1.1

We only want to allow the user to pull images that have a tag that matches our Semver regex. (you can simply adjust the regex to your own needs)

Content Selector

format == 'docker'  
&& (
    path == '/v2/' 
    || (
        path =~ '.*/namespace/.*' 
        && (
            path =~ '.*[0-9]+\.[0-9]+\.[0-9]+'
            || path =~ '.*/blobs/.*'
            )
        )
    )

Explanation

&& AND operator
|| OR operator
== EQUAL operator
=~ REGEX operator
format == 'docker' sets the format type that should be selected
path == '/v2/' grants login and manifest privileges as explained docker v2 API specification
path=~'.*/blobs/.*' grants pull access to the image layers
path=~'.*[0-9]+\.[0-9]+\.[0-9]+' Semver-regex

The most important part is the combination of the namespace and Semver-regex, namespace and blobs path.

Edit: Please see rseddons answer here for a deeper explanation.