Repository Management with Nexus
20.5. Nexus Atlassian Crowd Plugin
Atlassian’s Crowd is a single sign-on and identity management product that many organizations use to consolidate user accounts and control which users and groups have access to which applications. Nexus Professional contains an optional security plugin that allows you to configure Nexus to authenticate against an Atlassian Crowd instance. For more information about Atlassian Crowd, go to http://www.atlassian.com/software/crowd/
The Nexus Atlassian Crowd plugin is an otional plugin that comes as part of any Nexus Professional download. The directory containing the plugin code is called enterprise-crowd-plugin-X.Y.Z. Install the plugin following the instructions in Section 20.1, “Installing Additional Plugins”.
Once the Atlassian Crowd plugin is installed, restart Nexus and login as a user with Administrative privileges. To configure the Crowd plugin, click on the Crowd Configuration in the Security section of the Nexus menu as shown in Figure 20.13, “Crowd Menu Link in the Security Section of the Nexus Menu”.
Clicking on the Crowd Configuration link will load the form shown in Figure 20.14, “Crowd Configuration Panel”. This configuration panel contains all of the options that need to be configured to connect your Nexus instance to Crowd for authorization and authentication.
The following sections outline all of the settings in the Crowd Configuration Pane.
The Access Settings section of the Crowd configuration is shown in Figure 20.15, “Crowd Access Settings”. This section contains the following fields:
- Application Name
- This field contains the application name of a Crowd application. This value should match the value in the Name field of the form shown in Figure 20.20, “Creating a Nexus Crowd Application”.
- Application Password
- This field contains the application password of a Crowd application. This value should match the value in the Password field of the form shown in Figure 20.20, “Creating a Nexus Crowd Application”.
- Crowd Server URL
- This is the URL of the Crowd Server, this URL should be accessible to the Nexus process as it is the URL that Nexus will use to connect to Crowd’s SOAP services.
- Authentication Interval
- This is the number of minutes that a Crowd authentication is valid for. This value is in units of minutes, and a value of 30 means that Nexus will only require re-authentication if more than 30 minutes have elapsed since a previously authenticated user has accessed Nexus.
- Use Groups
- If clicked, Use Groups allows Nexus to use Crowd Groups when calculating Nexus Roles. When selected, you can map a Nexus Role to a Crowd Group.
You can control the concurrency of connections to Crowd in the HTTP Settings section shown in Figure 20.16, “Crowd HTTP Settings”. If you have a high-traffic instance of Nexus, you will want to limit the number of simultaneous connections to the Crowd server to a reasonable value like 20. The HTTP Timeout specifies the number of milliseconds Nexus will wait for a response from Crowd. A value of zero for either of these properties indicates that there is no limit to either the number of connections or the timeout.
If your Nexus installation is connecting to Crowd via an HTTP Proxy server, the HTTP Proxy Settings section of the Crowd Configuration allows you to specify the host, port, and credentials for a HTTP Proxy server. The HTTP Proxy Settings section is shown in Figure 20.17, “Crowd HTTP Proxy Settings”.
The miscellaneous settings section shown in Figure 20.18, “Crowd Miscellaneous Settings”, allows you to configure settings that control the name of the Single Sign-on cookie and the various keys that are used to retrieve values that relate to authentication and the auth token. This dialog is only relevant if you have modified optional Crowd settings in your $CROWD_HOME/etc/crowd.properties. For more information about customizing these options see the Atlassian Crowd documentation
Once you have configured Nexus to connect to Crowd, you must select the Crowd authorization realm from the list of available realms in your Nexus Server settings. Figure 20.19, “Configuring the Crowd Authentication Realm”, shows the Security settings section in the Nexus Server configuration. To load the Nexus server configuration panel, click on Server under Administration in the Nexus menu. Drag Crowd from the list of available realms to the list of selected realms and then save the Nexus server configuration.
To connect Nexus to Atlassian’s Crowd, you will need to configure Nexus as an application in Crowd. To do this, login to Crowd as a user with Administrative rights, and click on the Applications tab. Once you click on this tab, you should see two options under the Applications tab: Search Applications and Add Application. Click on Add Application to display the form shown in Figure 20.20, “Creating a Nexus Crowd Application”, and create a new application with the following values in the Details tab of the Add Application form:
- Application Type: Generic Application
- Name: nexus
- Description: Sonatype Nexus Professional
Choose a password for this application. Nexus will use this password to authenticate with the Crowd server. Click on the Next button.
Clicking on Next will advance the form to the Connection tab shown in Figure 20.21, “Creating a Nexus Crowd Application Connection”. In this tab you need to supply the URL Nexus and the remote IP address for Nexus. Figure 20.21, “Creating a Nexus Crowd Application Connection”, shows the Connection form configured for a local instance of Nexus. If you were configuring Crowd and Nexus in a production environment, you would supply the URL that users would use to load Nexus in a web browser and you would supply the IP address that Nexus will be connecting from. Once you have completed the Connection form, click on Next to advance to the Directories form.
Clicking on Next advances to the Directories form shown in Figure 20.22, “Creating a Nexus Crowd Application Directories”. In this example, the Nexus application in Crowd is going to use the default "User Management" directory. Click on the Next button to advance to the "Authorisation" form.
Clicking on the Next button advances to the "Authorisation" form shown in Figure 20.23, “Creating a Nexus Crowd Application Authorization”. If any of the directories selected in the previous form contain groups, each group is displayed on this form next to a checkbox. You can select "Allow all users" for a directory, or you can select specific groups which are allowed to authenticate to Crowd through Nexus. This option would be used if you wanted to limit Nexus access to specific subgroups within a larger Crowd directory. If your entire organization is stored in a single Crowd directory, you may want to limit Nexus access to a group that contains only Developers and Administrators.
To map a Crowd Group to a Nexus Role, open up the Roles panel by clicking on the Roles link under the Security section of the Nexus menu. Click on the Add… button and select External Role Mapping as shown in Figure 20.24, “Adding an External Role Mapping”.
Selecting External Role Mapping will show the Map External Role dialog shown in Figure 20.25, “Mapping an External Crowd Group to a Nexus Role”.
Once you have mapped a Crowd Group to a Nexus Role, these Roles will appear in the list of Nexus Roles with a mapping value of "Crowd" as shown in Figure 20.26, “Two Crowd Groups Mapped to Nexus Roles”.
To illustrate this feature, consider the crowd-manager user with an id of "brian". This user’s groups are shown in Figure 20.27, “Crowd Groups for User "brian"”.
To add an external user role mapping, open up the Users panel by clicking on Users in the Security section of the Nexus panel. Click on the Add… button and select External User Role Mapping from the drop-down as shown in Figure 20.28, “Adding an External User Role Mapping”.
Selecting External User Role Mapping will show the dialog shown in Figure 20.29, “Locating a Crowd User in the User Role Mapping Dialog”.
Once you locate the Crowd user that you want to add a Nexus Role to… You can use the configuration panel shown in Figure 20.30, “Adding a Nexus Role to a Crowd User”, to add a Role to the Crowd-managed "brian" user.