Nexus vs. Artifactory
Choosing a Maven Repository Manager
Until now we didn't use a repository manager for Maven. Our repos were a plain directory structure on the file system served by Apache. Uploading was done using Apache's WebDAV capabilities with a simple authentication against our LDAP directory:
<Location /maven> Options Indexes DAV On AuthType Basic AuthName "reucon Maven Repositories" AuthBasicProvider ldap AuthLDAPURL ldap://ldap.myorg.com/o=myorg?uid?sub?(objectClass=person) AuthLDAPBindDN uid=httpd,ou=techusers,o=myorg AuthLDAPBindPassword secret AuthzLDAPAuthoritative off Require valid-user FileETag None </Location>
We are maintaining four repositories: one for our public Open Source artifacts and one for proprietary internal artifacts along with corresponding snapshot repositories. Access to the internal repository was limited based on an IP address range.
There are multiple reasons for us to use a repository manager:
- Unified access to repositories
In the old days all you needed was the central repo (formerly known as ibiblio). Times have changed and now many of our projects require artifacts from a variety of different repositories. It seems many organisations prefer having their own repos instead of publishing to central. This includes SpringSource, JBoss, Codehaus and several snapshot repos like for Apache. Maintaing a list of these repos in each developers settings.xml is a pity and including them in the poms makes things even worse in the long run. - Finer grained access control
On the one hand we need access to our internal repo from outside of our internal network, so IP based access control no longer works well. On the other hand not all developers should be allowed to publish releases. Some kind of role based access control was needed. - Automated creation of the Nexus index
A Nexus index is basically a zip file containing a lucene index of the artifacts in a repository. Most Maven IDE plugins now support searching for artifacts when adding dependencies to a project. To make this work the IDE must be be able to download an up to date index of the repositories. - Web based artifact search
You may know mvnrepository.com a web site to search for artifacts in the central repo. I've often used it to find the correct version and maven coordinates for a dependency. A similar solution for our internal repositories would be nice.
There are a lot more reasons to use a repository manager like faster builds through caching of artifacts, black- or whitelisting of artifacts based on corporate standards but those listed above were the key factors for us.
There are three products that can be used: Apache Archiva, Sonatype Nexus and JFrog's Artifactory. There is a feature matrix that shows their features.
I dropped Archiva because its development is rather slow and it is missing some important features like grouped repositories. So Nexus and Artifactory remained. I came across two blog postings from January: Sonatype's comparison and JFrog's response. Combined they provide a lot of insight. Here is my own comparison:
Security
Good LDAP integration is a must have. Artifactory supports this out of the box, Nexus does not include LDAP support in its Open Source edition. It is a Nexus Pro feature. I do understand that Sonatype is trying to sell its Pro version but LDAP support is really a basic and vital feature. Fortunately it is not too difficult to implement a custom authenticator for Nexus and in fact there is already a project at Google Code called nexus-ldap that adds free LDAP support to Nexus. Both Artifactory and Nexus support fine grained role based authorization. One problem I faced with Artifactory was that requiring authentication seems to be a global setting, so you either require authentication for all repositories or for none. This is less flexible than Nexus which allows us to make our Open Source repository available without authentication and requires authentication only for deployment and for our internal repositories.
Artifactory has a nice additional feature that eliminates the need to store the user's password in Maven's settingx.xml in clear text by encrypting the password with a user specific key stored in Artifactory. This is an interesting approach and I would like to see this concept being used more widely (e.g. for Subversion).
Storage
How the repository manager stores artifacts and meta data is the biggest difference between Artifactory and Nexus. Artifactory uses a Java Content Repository (JCR) that can optionally be hosted in a MySQL database.
Nexus stores artifacts and meta data in the file system. It uses the maven layout so it is easy to access the repositories managed by Nexus externally. This becomes handy not only for migration but also when synchronizing to central through rsync. Though Artifactory offers an export feature having my repository data available directly on the file system makes me feel better.
Searching and Indexing
Both Nexus and Artifactory publish indexes (based on Lucene) and provide a web interface for searching artifacts stored in the repository. Nexus takes this one step futher and also allows searching for artifacts in proxied repositoreis not yet stores in the local repository. This is really handy and eliminates the need to use external sites to search for artifacts and they current version.
Conclusion
Before I found nexus-ldap I was about to choose Artifactory over Nexus. After that I prefer Nexus for the file system based storage and better searching.
References
- Sonatype Nexus
- JFrog Artifactory
- nexus-ldap: Free LDAP authentication for Nexus
- Nexus Crowd Plugin
Re: Nexus vs. Artifactory
If you're using Crowd and Nexus, you might be interested in the Nexus Crowd Plugin written by Justin Edelson:
http://confluence.atlassian.com/display/CROWDEXT/Nexus+Crowd+Plugin
We're moving from Archiva to Nexus at Atlassian and the plugin's done everything we expected of it so far.
Cheers,
Dave O'Flynn
Re: Nexus vs. Artifactory
I am happy with Nexus, too.
The Crowd plugin also works well so far but I would love to see it support SSO for the Web UI.
Another problem I still see unsolved is having to store the password in plain text in settings.xml. In an environment that uses central authentication this is an even higher security risk than if it only affects a single application.
Subversion 1.6 has a few new features like support for storing passwords in KWallet and GNOME Keyring and storing SSL client certificate passphrases in KWallet, GNOME Keyring, Mac OS Keychain or Windows CryptoAPI.
Re: Nexus vs. Artifactory
Re: Nexus vs. Artifactory
a bit of rambling follows: i'm going thru the process of validating an existing artifactory deployment. in doing this, i setup the settings.xml to paramertize the repository settings so i could switch between artifactory, nexus and a standard scp repo. out of the gate, artifactory is easy to setup.
i too am of the mindset of having meta-data only in some type of data stor and the artifacts in the file system. the main reason i'm of that mindset is primarily an infrastructure design principle that calls for making as much of the infrastructure like a campground (white-box) versus a resort (black-box). we need to build infrastructure that empowers our co-workers to use intuitiveness as much as possible when working with the development environment.
the user interfaces of the web design for both tools (artifactory and nexus) are very poorly designed and unproductive to use.
i'm still get my feet wet with this repo managers. i think they are trying to solve a good problem, but i think they still have a long ways to go, they are just touching the tip of the iceberg...
they should be leveraging GIT to solve this problem. i would be inclined to throw a jruby/merb front-end on top of nexus and aritfactory... heck on top of the basic unmanaged repo too... i know that comment will bring some hoopla, but another core principle i use when deploying engineering infrastructure is rapid development and deployment. there are trade-offs of course, people that are productive in a java eco-system love to stay within that system. thats both understandable...but at the same time i'm seeing less and less systems thinkers and more and more apps thinkers locked into a single eco-system, that being java and at the same time i can also relate to the language and data format of the day... eating away at their time. i'm going part way in using jruby when i implement.
now this goes way off topic, but back in about 1996... i was at sun when they hired john osterhout (tcl), and attended his introductory speech on tcl. his observation i think was right on target and that was that every major language had a complimentary scripting language and his tought was tcl should be that to java. i agree in his observation (just not tcl). people will bringup groovy... but what we really need back then was for jython or jruby to have been around, it would have changed the java eco-system dramatically
it was like the gold rush back then... sun discovered java and made no real money to speak off, and ibm came along and harvested the gold and for awhile became the defacto go-to shop for java technology, and in the end, the java community made it a success, with sun along for the ride today we have choices, and because of that we have confusion. and when it comes to engineering infrastructure there is going to be lots of scripting. now the challenge is, walking into a gig and having to unravel all the 'choices'.
For the java developer wishing to stay tightly coupled inside the java world, choosing scripting answers like groovy makes sense. i understand that choice, but do not agree as both python and ruby are fantastic scripting languages that play nicely with the java world. maybe its languages like scala that will be the way of things to come. for me, its much more productive to be in a DSL/you-pick [scala, ruby] infrastructure than XML.
Even Tim Brey has talked about how XML was misused.
And my last though to wrap this up... developers do not need policy hidden in the form of convention. by and large developers are pretty dang intelligent folks. what they need are loosely coupled software components that can be use to define, implement and deploy infrastructure. i'm seeing a trend where people are justifying policy and conventions as a way to manage behavior. i think conventions are one thing, its not knowing when a convention is not longer a convention and is not a policy that is getting many of the tools developers into trouble.