Open ashb opened 8 years ago
Disclosing the existence of content that is unauthorized is considered bad security.
Try it with Github: create a private github repo, and try to access it while not logged-in. You will get a 404, not a 403.
That is all well and good if the registry was returning a 404 in this case but it's not – docker is being given a HTTP 403401 or status code and it should respect that and act accordingly.
The only thing we are disclosing here to an unauthenticated user is that there is a registry present which is our decision to make. If docker gets told you need to log in it would certainly be much more user friendly and a time saver. I've had 6 team members come up to me over the last three days asking why the registry is broken after we introduced basic auth.
I can't test for certain that our v2 registry is actually returning a 401 right now but I can test on a v1 registry and that is returning a 401 and docker asks for a login. Is it just the code path for v2 that has this behaviour?
Confirmed - the registry gets a 401 on any url at all:
$ curl --fail http://our-registry.tld/v2/_catalog
curl: (22) The requested URL returned error: 401 Unauthorized
$ curl --fail http://our-registry.tld/v2/i-dont-exist-as-an-endpoint
curl: (22) The requested URL returned error: 401 Unauthorized
We have a private registry set up (using docker/distribution) behind nginx performing basic auth. If you run
docker login
then everything works as expected.However if you haven't logged in you get an unexpected and unhelpful error message from the docker of "not found" rather than "403". Output:
For completeness the image does exist:
Now I understand that because the format of the image it is hard to determine if the name is a/ or / but if the registry reports a 403/401 and the image isn't found on the public hub then rather than a 404 it would make it much much clearer what the problem is if it said 'you need to log in'.