Content Selectors

Content selectors provide a means to control access to specific content from a repository. The content you select is evaluated against search expressions written in CSEL (Content Selector Expression Language). CSEL is a light version of JEXL used to script queries along specific paths and coordinates available to your repository manager formats.

Docker format requires some special considerations when creating content selectors. See Content Selectors and Docker.

Content selectors allow you to define what content users are allowed to access. You can define, in a simplified example, a selector named "Apache Maven" with a search expression of path =^ "/org/apache/maven/". This would match all components that start with the designated component path.

Creating a Query

Before you identify user permissions for your selector, create the query first. Click Content Selectors located in Repository, from the Administration menu. Click Create selector to open a new form.

In the Selector ID section enter a Name and (optional) Description of your selector in the corresponding fields. In the Specification section use the Search expression field to build your query using CSEL syntax.

Support for Regular Expressions Within Content Selectors in Different Deployment Environments

There are currently some variations in how Content Selectors work in different Sonatype Nexus Repository deployment environments: 

  • Content selectors in OrientDB and H2 deployments use JEXL regular expressions
  • Content selectors in non-High Availability (HA) PostgreSQL deployments use PostgreSQL regular expressions (See the PostgreSQL documentation about pattern matching)
  • HA PostgreSQL deployments use a different search implementation that does not currently support regular expressions

This means that if you are using OrientDB, H2, or PostgreSQL in a non-HA environment, you can use regular expressions in your content selectors as demonstrated in the example content selectors for non-HA deployments shown below.

If you are using PostgreSQL in an HA deployment, you cannot currently use regular expressions in your content selectors. We've provided example content selectors for HA deployments below as well.

Preview Repository

You can preview your selector and the results that your search expression will return by selecting the Preview results button under Preview Repository

The preview is set to only display 10 results.  This is to limit any potential performance impact from broad tests.


Figure: Content Selector Preview Modal

To see the results your selector would find, select a repository or grouping of repositories from the Preview Repository dropdown and select the Preview button. Assets that match will be returned in the space below the filter and can be filtered if you wish to check on a specific result. The Name column is also sortable in ascending or descending order.

Once satisfied with your fields, click Save to create the Content Selector. All saved selector queries you create will be listed in the Content Selectors screen.

Managing Selector Permissions

As part of your security setup, you can create user permissions to manage the filters you built in the Create Selector form. You can add a new privilege that controls operations of readeditdelete or * (all) for components matching that selector. The privilege can even span multiple repositories.

To create a new content selector privilege, click Privileges in the Security section of the Administration panel. Then click the Create Privilege button. Locate and click Repository Content Selector from the list of options in Select Privilege Type. You will see a form that displays the following:

  • Name: Create a name for the content selector privilege.

  • Description: Add a brief description for the privilege.

  • Content Selector: Use this dropdown to select from a list of selectors you created.

  • Repository: Use this dropdown to select from either a range of all repository contents, all repository contents of an individual format, or repositories created by you.

  • Actions: Grant addbrowsecreatedeleteeditreadupdate, or * (all) privileges for user access control.

To complete the form, save the new privilege by clicking Create privilege. You can use your new privilege to regulate what permissible data you want the user to access. You could group all related privileges into a role as documented in Roles. Ultimately, you could assign your roles to a user, as mentioned in Users.

A practical example might be where you delegate all control of components in org.apache.maven to a "Maven" team. This way, you would not need to create separate repositories for each logical division of your components.

Content Selector Reference

Below are the allowable attributes for content selectors that define path and format as values supported by Nexus Repository Manager.

AttributeAllowed Values
pathThe path of your repository content
formatThe format of the content for which you query

Content Selector Examples With Regular Expressions (For Non-HA Deployments) 

Valid Operators

  • ==
    Matches text exactly.
    e.g., format == "raw"
     
  • =~
    Matches a Java regular expression pattern.
    e.g., path =~ "^/org/apache/commons/.*"
     
  • =^
    Starts with text.
    e.g., path =^ "/com/example/"

  • and
    Match all expressions.
    e.g., format == "maven2" and path =~ "^/org/apache/commons/.*"
     
  • or
    Match any expression.
    e.g., format == "maven2" or format == "npm"

  • expr )
    Group multiple expressions.
    e.g., format == "npm" or (format == "maven2" and path =~ "^/org/apache/commons/.*")

Version Range Regular Expressions

To avoid encountering database errors, you should escape dashes in version range regular expressions.

e.g., path =~ “[0-9a-zA-Z\-_]”

Usage Examples

Select all raw format content

format == "raw"

Select all maven2 content along a path that starts with org.apache.commons

format == "maven2" and path =~ "^/org/apache/commons/.*"

When writing a content selector, remember that the asset’s path will always begin with a leading slash when the selector is evaluated. This is true even though the leading slash is not displayed when searching or browsing assets.

Permissions for Tree Browsing

Remember that to allow proper access when using Tree browsing in the UI, the content selectors need to include permissions for parent directories of the artifacts.  Following along with the apache-commons examples used above, you would want something similar to this: format == "maven2" and path =~ "/|/org/|/org/apache/|/org/apache/commons/.*". Alternatively, if you don't mind users being able to see any directory name (just not the contents), you could use format== "maven2" and path =~".*/|/org/apache/commons.*".

Content Selector Examples Without Regular Expressions (For HA Deployments) 

Valid Operators

  • ==
    Matches text exactly.
    e.g., format == "raw"
     
  • =^
    Starts with text.
    e.g., path =^ "/org/apache/commons"

  • and
    Match all expressions.
    e.g., format == "maven2" and path =^ "/org/apache/commons"
     
  • or
    Match any expression.
    e.g., format == "maven2" or format == "npm"

  • expr )
    Group multiple expressions.
    e.g., format == "npm" or (format == "maven2" and path =^ "/org/apache/commons")


Usage Examples

Select all raw format content

format == "raw"

Select all maven2 content along a path that starts with org.apache.commons

format == "maven2" and path =^ "/org/apache/commons/"

When writing a content selector, remember that the asset’s path will always begin with a leading slash when the selector is evaluated. This is true even though the leading slash is not displayed when searching or browsing assets.

Permissions for Tree Browsing

Remember that to allow proper access when using Tree browsing in the UI, the content selectors need to include permissions for parent directories of the artifacts.  Following along with the apache-commons examples used above, you would want something similar to the following:

(format == "maven2" and (path =^ "/"  OR path =^  "/org/" OR path =^  "/org/apache/"  OR path =^  "/org/apache/commons/"))