search

cesanta / docker_auth

Authentication server for Docker Registry 2
Apache License 2.0
1.28k stars 305 forks source link

Missing authn rule for "Pull through cache" registry use case #176

Open catsem opened 7 years ago

catsem commented 7 years ago

While I was trying to use the auth_server in the "pull through cache" registry use case (https://docs.docker.com/registry/recipes/mirror/) I faced the problem that the docker client cannot authorize.

Docker login is successful. Then I try "docker pull ubuntu" -> docker agent asks private registry (as pull through cache) -> Error in auth_server:

I0428 13:01:48.372414    8881 server.go:370] Auth request: {:@192.168.1.25:41854 [{repository library/ubuntu [pull]}]}
I0428 13:01:48.372537    8881 server.go:217] Authn static  -> false, map[], did not match any rule
W0428 13:01:48.372552    8881 server.go:232] {:@192.168.1.25:41854 [{repository library/ubuntu [pull]}]} did not match any authn rule
W0428 13:01:48.372571    8881 server.go:378] Auth failed: {:@192.168.1.25:41854 [{repository library/ubuntu [pull]}]}

I used this acl:

  - match: {account: "admin"}
    actions: ["*"]
    comment: "Admin has full access to everything."

Because I noticed that the username is not submitted by docker client in this case I also tried an ip-based acl but it doesn't match either...

  - match: {ip: "192.168.1.0/24"}
    actions: ["pull"]
    comment: "Allow pull from docker net."

When I do a docker pull registry.mydomain.com/myimage the authentication is working fine.

I guess the reason why this happens is because there is no authn rule for this repository name "library". Can you help me how to add the right rule? Thanks in advance.

Best catsem

catsem commented 7 years ago

Please tell me if I did something wrong in the issue description. Or is this targeted use case impossible with cesanta/docker_auth?

WSLUser commented 5 years ago

I am also experiencing this issue. Please address.

techknowlogick commented 3 years ago

Are you able to temporarily set the acl to allow all, that would likely narrow down the issue to see if auth_server is able to support pull through cache.

noglitchyo commented 2 years ago

Hi @techknowlogick

I am also experiencing an issue running this setup. I also tried by setting ACL to allow all, but same result.

This is my ACL configuration to allow all if thatś correct:

acl:
  - match: { }
    actions: [ "*" ]
    comment: "Logged in users have full access."

Hope it helps.