admin user is unauthorized to use REST API
I'm running registry1.dso.mil/ironbank/sonatype/nexus/nexus:3.37.3-02
using this config in my Helm chart:
nexus:
env:
- name: NEXUS_SECURITY_RANDOMPASSWORD
value: "true"
which generates a random password at /opt/sonatype/sonatype-work/nexus3/admin.password
, however when I run a curl command within the container I get a 403 error:
$ kubectl exec -it -n nexus-green -c nexus nexus3-sonatype-nexus-779f777dd8-522b2 -- bash
bash-4.4$ cat /tmp/anon-access.json
{
"enabled": true,
"userId": "anonymous",
"realmName": "NexusAuthorizingRealm"
}
bash-4.4$ curl -u "admin:dd9b9819-bfaf-1234-885c-9ad06deca970" -X PUT -H "Content-Type: application/json" -d '@/tmp/anon-access.json' -v http://localhost:8081/service/rest/v1/security/anonymous
* Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 8081 (#0)
* Server auth using Basic with user 'admin'
> PUT /service/rest/v1/security/anonymous HTTP/1.1
> Host: localhost:8081
> Authorization: Basic YWRtaW46ZGQ5Yjk4MTktYmZhZi00YTA4LTg4NWMtOWFkMDZkZWNhOTcw
> User-Agent: curl/7.61.1
> Accept: */*
> Content-Type: application/json
> Content-Length: 88
>
* upload completely sent off: 88 out of 88 bytes
< HTTP/1.1 403 Forbidden
< Date: Wed, 19 Jan 2022 02:51:07 GMT
< Server: Nexus/3.37.3-02 (OSS)
< X-Content-Type-Options: nosniff
< X-Siesta-FaultId: 4e473622-73fc-4df1-bce8-0584c7c4754a
< Content-Length: 0
<
* Connection #0 to host localhost left intact
If I change the password, it changes to a 401 error, which seems to mean that I have the right credentials, but the admin user isn't allowed to do anything.
bash-4.4$ curl -u "admin:dd9b9819-bfaf-1234-885c-9ad06deca971" -X PUT -H "Content-Type: application/json" -d '@/tmp/anon-access.json' -v http://localhost:8081/service/rest/v1/security/anonymous
* Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 8081 (#0)
* Server auth using Basic with user 'admin'
> PUT /service/rest/v1/security/anonymous HTTP/1.1
> Host: localhost:8081
> Authorization: Basic YWRtaW46ZGQ5Yjk4MTktYmZhZi00YTA4LTg4NWMtOWFkMDZkZWNhOTcx
> User-Agent: curl/7.61.1
> Accept: */*
> Content-Type: application/json
> Content-Length: 88
>
* upload completely sent off: 88 out of 88 bytes
< HTTP/1.1 401 Unauthorized
< Date: Wed, 19 Jan 2022 02:52:12 GMT
< Server: Nexus/3.37.3-02 (OSS)
< X-Content-Type-Options: nosniff
* Authentication problem. Ignoring this.
< WWW-Authenticate: BASIC realm="Sonatype Nexus Repository Manager"
< Content-Length: 0
<
* Connection #0 to host localhost left intact
Note that the pod starts up fine and passes it's healthcheck. I'm able to access the healthcheck URL just fine:
bash-4.4$ curl -v http://localhost:8081/service/rest/v1/status
* Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 8081 (#0)
> GET /service/rest/v1/status HTTP/1.1
> Host: localhost:8081
> User-Agent: curl/7.61.1
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Wed, 19 Jan 2022 02:56:08 GMT
< Server: Nexus/3.37.3-02 (OSS)
< X-Content-Type-Options: nosniff
< Content-Length: 0
<
* Connection #0 to host localhost left intact
What's the correct way to automate API calls with this image?