I am trying to block overwriting in JFrog Artifactory. I have a two Maven repos: one for snapshot versions and another for releases, the first one should allow overwriting while the second one doesn't. As I can see it must be configured at user level (How can I prevent previously deployed artifacts from being overwritten?) but I would need to do it at repo level. Is there any way to do it? Maybe it is possible configuring Maven?
There is an option to use Include and Exclude Patterns at the repo level.
The Include Patterns and the Exclude Patterns fields provide a way to filter out specific repositories when trying to resolve the location of different artifacts.
In each field you can specify a list of Ant-like patterns to filter in and filter out artifact queries. Filtering works by subtracting the excluded patterns (default is none) from the included patterns (default is all).
Finally I've implemented the solution based in user permissions. It seems to be the only way of doing it and works for me.
Related
In various shell scripts, we need to download artifacts from a Maven repository (Nexus 2.x at the moment, but may change in the future).
The servers that run the scripts usually have no Maven installed. So I am looking for something http based.
On the one hand, there is a REST interface which can be used like
wget "http://local:8081/service/local/artifact/maven/redirect?g=com.mycompany&a=some-app&v=1.2.3"
On the other hand, you can construct a "standard" URL that seems to work for different Maven repositories. It consists of a prefix, then the groupId with slashes instead of dots, then the artifactId, then the version and then a file name of the form artifactId-(classifier)-version.type.
What is the recommended practise?
The Maven coordinates section of the POM reference describes the second scenario you mentioned. In general I've found that pattern easiest to explain to folks learning Maven, i.e. whether local or remote, an artifact is located at
$REPO/groupId/as/path/artifactId/version/artifactId-version[-classifier].type
where $REPO can be $USER_HOME/.m2/repository or https://remote.repo:port/....
I would also prefer the second as I suspect it will be easier for this app to work with another repository some day if needed. Even if not quite true, it's more self-documenting, so seems like it would be easier to adjust.
I had a task to delete old SNAPSHOT artefacts which are under many folders/directories.
We can't go and delete each and every artefact manually so I would like to go with restAPI.
For clear info:
https://artifactory.com/artifactory/maven-local/com/aa/bbb/cccc/dddd/XYZ-SNAPSHOT/abc.jar
https://artifactory.com/artifactory/maven-local/com/aa/bbb/cccc/dddd/XYZ-SNAPSHOT/xyz.jar
https://artifactory.com/artifactory/maven-local/com/aa/bbb/cccc/eeee/XYZ-SNAPSHOT/pqr.jar
https://artifactory.com/artifactory/maven-local/com/aa/bbb/dddd/eeee/XYZ-SNAPSHOT/lmn.jar
Above 4 examples have different directories.
My script needs to go each and every directory and have to verify for XYZ-SNAPSHOT, if it found then we can make a url and delete through CURL.
How can we achieve this? Or is there any other way to do it?
You should probably want to use Artifactory Query Language (AQL) which is the easiest way to find artifacts and modules according to patterns. You can find bunch of examples in the page. Moreover, to perform the deletion easily and even automate the process in the future, I advise using JFrog CLI. You can also read this interesting blog about similar use case.
Also, there is the 'Max Unique Snapshots' field in your local Maven repository settings. You can use that for Artifactory to keep a specified number of unique snapshots per artifact.
I've seen a lots of posts around Maven and multiple repositories with single server credentials like this one.
However the general given solution is always for deploying artifact with the distributionManagement tag, which is not the needed answer. (we need to install deps -> repositories tag is needed)
Is there any other solution than having two duplicated server entries with same credentials but different ids?
Rather than using two credential entries, the other solution is to set the first repository in the parent pom of your project (or creating one) and the second repository in the child pom
-> you will be able to use the same ID for your repository without having the duplicate error.
in company where I am working we are starting to use artifactory like tool of repositories managment, and then I'm reading the user guide of this tool. We started in the configuration creating a virtual repository, a few local and remote repositories. On the use guide i found the following thing:
Prevent disclosing sensitive business information derived from your artifact queries to whomever can intercept the queries, including the
owners of the remote repository itself.
I saw that this could be avoided through
exclude pattern
functionality on the virtual repository. Can you give us some suggestion about this? What kinds of request we should avoided to do?
You should avoid requests for internal artifacts being sent to remote repositories (directly or via virtuals). This can happen when projects depends on internal libraries or within multi module projects where modules depends on each other. When working with virtual repositories Artifactory will always search for such artifacts in local repositories first. However, if someone asked for a wrong version or had a typo in the artifact name, the artifact will not be found in a local repository and Artifactory will try to look for it in the remote repositories configured in this virtual.
To avoid exposing sensitive business information as described above, we strongly recommend the following best practices:
The list of remote repositories used in an organization should be managed under a single virtual repository to which all requests are directed
All internal artifacts should be specified in the Excludes Pattern field of the virtual repository (or alternatively, of each remote repository) using wildcard characters to encapsulate the widest possible specification of internal artifacts.
Assuming all of your projects/modules are using some kind of namespace, for example com.mycompany, you can configure an exclusion pattern for artifacts under this namespace: com/mycompany/**.
For more information take a look at avoiding security risks with an excludes pattern
I'm new to writing nexus plugins. From my plugin, I have a scheduled task. When the task is executed, I want to find all the artifacts in the configured repository that have an item with a certain maven classifier.
I'm injecting a RepositoryRegistry, getting a repository by id, and using List org.sonatype.nexus.proxy.repository.Repository.list(ResourceStoreRequest), but it only returns locally stored items. Is there a container managed component I could inject or a utility that will give me a List or Tree of items in the index?
I've looked at the lucene search api, but it requires a group, artifact, or version... I can't search by classifier. I've also looked at some of the sisu packages, but couldn't find anything.
For example
Repository Proxy named MyRemote
contains /my/group/artifactA/1/xml/features
Repository Hosted named MyHosted
contains /my/group/artifactB/1/xml/features
Repository Group named MyGroup that contains MyRemote and MyHosted
I'm think I'm looking for a java API that will give me one of the following:
#Inject IndexManager??
List SomeUtil.searchRepo(..., String classifier, ...)
Tree SomeUtil.getIndexTree(String repoId)
and will list out both the my.group:artifactA:1:xml:features and my.group:artifactB:1:xml:features
Thanks!
Problem answered on the Nexus users list, FTR:
http://maven.40175.n5.nabble.com/Nexus-Plugin-Reading-Indexes-td5771952.html