Verdaccio

Verdaccio

  • Docs
  • Blog
  • Twitter
  • Help
  • GitHub
  • Team
  • 支持我们
  • Languages icon中文
    • English
    • Español
    • Français
    • Russian
    • Yoruba
    • 帮助翻译

›Features

Introduction

  • Verdaccio是什么?
  • 安装
  • 命令行工具
  • Using a private registry
  • 谁在使用 Verdaccio?
  • Security Policy
  • Logotype
  • Uses Cases

    • End to End testing
    • Caching strategies
    • GitHub Actions
    • 链接远程Registry

    Talks & Articles

    • Articles
    • Talks

Features

  • 配置文件
  • 上行链路
  • 包的访问
  • Authentication
  • 通知
  • 记录器
  • Web 用户界面

Server

  • 服务器配置
  • 逆向代理服务器设置
  • 设置SSL 证书
  • 作为 Windows 服务安装
  • IIS server上进行安装

Development

  • 插件
  • 插件开发
  • Dev Guides

    • Plugin Generator
    • Authentication Plugin(认证插件)
    • Middleware Plugin(Middleware 插件)
    • Storage Plugin(存储插件)
  • Node API

DevOps

  • Docker
  • Kubernetes
  • 持续集成
  • Cloud

    • 亚马逊Web服务

    Tools

    • Ansible
    • Puppet
    • Chef Cookbook

Guides

  • Best Practices
  • 保护包
  • Amazon Web Services
Translate

包的访问

This is a series of constraints that allow or restrict access to the local storage based on specific criteria.

安全约束构建于被使用的插件上,在默认情况下,verdaccio使用htpasswd 插件。 如果你使用不同的插件,行为可能会有所不同。 默认插件自己并不处理allow_access和allow_publish,它使用内部回退功能以防止插件尚未就绪。

关于权限的更多信息,请访问维基文档的认证部分。

用法

packages:
  # scoped packages
  '@scope/*':
    access: $all
    publish: $all
    proxy: server2

  'private-*':
    access: $all
    publish: $all
    proxy: uplink1

  '**':
    # allow all users (including non-authenticated users) to read and
    # publish all packages
    access: $all
    publish: $all
    proxy: uplink2

如果未进行任何设置,默认值则会被保留

packages:
  '**':
    access: $all
    publish: $authenticated

The list internal groups handled by verdaccio are:

'$all', '$anonymous', '@all', '@anonymous', 'all', 'undefined', 'anonymous'

如果htpasswd 返回用户名为组,所有用户,不管匿名与否,都会分别接到该组的权限以及插件提供的组。 例如,如果你以npmUser身份登录,组列表为。

// groups without '$' are going to be deprecated eventually
'$all', '$anonymous', '@all', '@anonymous', 'all', 'undefined', 'anonymous', 'npmUser'

如果你想要保护你所在组的特定包,你需要做如下工作。 我们来使用一个包含所有前缀为npmuser-的包的Regex。 We recommend using a prefix for your packages, in that way it will be easier to protect them.

packages:
  'npmuser-*':
    access: npmuser
    publish: npmuser

重启verdaccio并在命令行中尝试安装npmuser-core。

$ npm install npmuser-core
npm install npmuser-core
npm ERR! code E403
npm ERR! 403 Forbidden: npmuser-core@latest

npm ERR! A complete log of this run can be found in:
npm ERR!     /Users/user/.npm/_logs/2017-07-02T12_20_14_834Z-debug.log

你可以使用不同的插件认证来更改现有行为。 verdaccio只是检查试图访问或发布特定包的用户是否属于正确的组。

设置多个组

定义多个访问组非常简单,只需要在它们之间加入一个空格。

  'company-*':
    access: admin internal
    publish: admin
    proxy: server1
  'supersecret-*':
    access: secret super-secret-area ultra-secret-area
    publish: secret ultra-secret-area
    proxy: server1

阻止对一组包的访问

If you want to block the access/publish to a specific group of packages. Just do not define access and publish.

packages:
  'old-*':
  '**':
    access: $all
    publish: $authenticated

阻止代理一组特定包

你可能想要阻止一个或多个包从远程库获取数据,但在同时,允许其他包访问不同的uplinks。

请看如下示例:

packages:
  'jquery':
    access: $all
    publish: $all
  'my-company-*':
    access: $all
    publish: $authenticated
  '@my-local-scope/*':
    access: $all
    publish: $authenticated
  '**':
    access: $all
    publish: $authenticated
    proxy: npmjs

让我们描述一下在上面的示例中我们想要做什么:

  • 我想要自己的服务器上放置jquery依赖库但需要避免代理它。
  • 我想要所有和my-company-*匹配的依赖库但我需要避免代理它们。
  • 我想要在my-local-scope范围内的所有依赖库但我需要避免代理它们。
  • 我想要代理所有剩余的依赖库。

注意库定义的顺序很重要同时必须使用双通配符。 因为如果你没有包含它,verdaccio会帮你来包含它,这样你的依赖库解析会受到影响。

Use multiple uplinks

You may assign multiple uplinks for use as a proxy to use in the case of failover, or where there may be other private registries in use.

'**':
  access: $all
  publish: $authenticated
  proxy: npmjs uplink2

Unpublishing Packages

The property publish handle permissions for npm publish and npm unpublish. But, if you want to be more specific, you can use the property unpublish in your package access section, for instance:

packages:
  'jquery':
    access: $all
    publish: $all
    unpublish: root
  'my-company-*':
    access: $all
    publish: $authenticated
    unpublish:
  '@my-local-scope/*':
    access: $all
    publish: $authenticated
    # unpublish: property commented out
  '**':
    access: $all
    publish: $authenticated
    proxy: npmjs

In the previous example, the behaviour would be described:

  • all users can publish the jquery package, but only the user root would be able to unpublish any version.
  • only authenticated users can publish my-company-* packages, but nobody would be allowed to unpublish them.
  • If unpublish is commented out, the access will be granted or denied by the publish definition.

配置

You can define mutiple packages and each of them must have an unique Regex. The syntax is based on minimatch glob expressions.

属性类型必须的示例支持描述
accessstringNo$allall定义允许访问包的组
publishstringNo$authenticatedall定义允许发布的组
proxystringNonpmjsall针对特定的uplink限制查找
storage字符串No字符串/some-folderit creates a subfolder whithin the storage folder for each package access

我们强烈建议不要再使用已被弃用的allow_access/allow_publish 和 proxy_access,它们很快就会被移除,请使用它们的精简版本 (access/publish/proxy) 。

If you want more information about how to use the storage property, please refer to this comment.

← 上行链路Authentication →
Verdaccio
Docs
Getting StartedDockerConfigurationLogos
Community
User ShowcaseStack OverflowProject ChatFollow Verdaccio on Twitter
More
BlogGitHubStar