Skip to content

Remove Maven central request forwarding feature

Description

The rollout of the feature flag is blocked by Maven package registry, group level endpoint: s... (#393933).

Maven package registry, group level endpoint: s... (#393933) proposes changing the maven package finder to return the packages without looking at users permissions. It'll mainly affect two cases:

  1. When the duplicate packages are published to the two different projects and the user doesn't have an access to the most recent one.
    Before The user will get the previous published version of the package that they an access to 200 OK
    After The user won't get any packages 403 Forbidden as not enough permission to read the most recent package.
  2. The request forward feature.
    Before The package exists but the user doesn't have permissions to read it. The finder won't return any packages and the request will be forwarded to the maven central (when the feature is enabled).
    After The user's request won't be forwarded to the maven central since the package exists but user doesn't have permission to read it.

This is a breaking change that won't be implemented details.

Proposal

In light of the blockers identified above and given that the Maven virtual registry enables connectivity to public registries, remove the Maven central request forwarding feature.

⚠️ Please wait until the Maven virtual registry becomes GA.

Edited by 🤖 GitLab Bot 🤖