Github Maven packages of private repositories are accessible through other repositories

[toschder]

Select Topic Area

Question

Body

Hi,

we have some Github (private) repositories, lets say
/path/to/github/myOrg/repo-A
/path/to/github/myOrg/repo-B

In the build of repo-A some packages were uploaded to this repository.

I´m now able to access /download these packages through

curl --user "myUser:${MY_TOKEN}" -OLv https://path/to/github/myOrg/repo-B/com/mycompany/mygroup/my-artifact-from-repo-A/4711/my-artifact-from-repo-A-4711-SNAPSHOT-main.pom

Why can I access packages from a private Repo A using the URL of repo B ?

Is there a way to "protect" these packages, so they are really only visible / accessible from their owning repo?

Background of this:
I have a Maven proxy configuration in Nexus to one Github package -but now all packages from my whole org are visible in Nexus - although I configured the proxy URL to https://path/to/github/myOrg/repo-A only.

From the documentation I would expect that packages inherit the visibility from their repo - so they should be "private" in my case.

Thanx for any advice on how to solve this.

Torsten

[tinaheidinger]

Hi, Maven packages inherit permissions from the repo that they're associated with. If an actor A has access to repositories X and Y, A also has access to the packages of X and Y.

[toschder]

Hi, that's OK but why can I access the packages of repo Y through the URL of repo X?  For me that makes no sense - because at the end this behaves like all packages are visible and accessible from the root or organization level.  Proxying just one package with Nexus is not possible this way - because the technical user/token has access /read permissions to all repositories of course. Thus he sees all packages even if only one is being proxied. Any Idea how to solve this? Creating new (technical) users with a new token that will be assigned each to only one repository doesnt sound like a scaling solution for me. For my understanding it would be much clearer if User A can access only the packages-X of repo-X through URL to repo-X - but not through URL of repo-Y or any other repository he has access to. Thx torsten Von: Tina Heidinger ***@***.***>Gesendet: Donnerstag, Juni 6, 2024 11:16:21 AMAn: community/community ***@***.***>Cc: Torsten Reinhard ***@***.***>; Author ***@***.***>Betreff: Re: [community/community] Github Maven packages of private repositories are accessible through other repositories (Discussion #127423) Hi, Maven packages inherit permissions from the repo that they're associated with. If an actor A has access to repositories X and Y, A also has access to the packages of X and Y. —Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you authored the thread.Message ID: ***@***.***>

[tinaheidinger]

you would need to solve this on repository level and ensure that a user can't access the repository, that way they also can't access the packages associated with the repository.

[toschder]

Thx - I decided to solve it directly in Sonatype Nexus where we had the problem with the proxy repository configuration.
I added a "routing rule" with a RegEx that will only match the desired package(s) from Github.

[github-actions[bot]]

🕒 Discussion Activity Reminder 🕒

This Discussion has been labeled as dormant by an automated system for having no activity in the last 60 days. Please consider one the following actions:

1️⃣ Close as Out of Date: If the topic is no longer relevant, close the Discussion as out of date at the bottom of the page.

2️⃣ Provide More Information: Share additional details or context — or let the community know if you've found a solution on your own.

3️⃣ Mark a Reply as Answer: If your question has been answered by a reply, mark the most helpful reply as the solution.

Note: This dormant notification will only apply to Discussions with the Question label. To learn more, see our recent announcement.

Thank you for helping bring this Discussion to a resolution! 💬