search

docker-archive / docker-registry

This is **DEPRECATED**! Please go to https://github.com/docker/distribution
Apache License 2.0
2.88k stars 879 forks source link

Registry behind basic auth when not logged in returns 'not found' #1034

Open ashb opened 8 years ago

ashb commented 8 years ago

We have a private registry set up (using docker/distribution) behind nginx performing basic auth. If you run docker login then everything works as expected.

However if you haven't logged in you get an unexpected and unhelpful error message from the docker of "not found" rather than "403". Output:

$ docker logout our-registry.tld
Remove login credentials for our-registry.tld
$ docker -D -l=debug pull our-registry.tld/elasticsearch-nocluster:latest | cat
time="2015-10-13T10:12:10+01:00" level=debug msg="Trusting certs with subjects: [0\x0e1\f0\n\x06\x03U\x04\n\x13\x03ash]"
Pulling repository our-registry.tld/elasticsearch-nocluster
Error: image elasticsearch-nocluster:latest not found

For completeness the image does exist:

$ docker login our-registry.tld
Username: developer
Password:
Email: fake@fake
WARNING: login credentials saved in /Users/ash/.docker/config.json
docker -D -l=debug pull our-registry.tld/elasticsearch-nocluster:latest | cat
time="2015-10-13T10:14:37+01:00" level=debug msg="Trusting certs with subjects: [0\x0e1\f0\n\x06\x03U\x04\n\x13\x03ash]"
latest: Pulling from elasticsearch-nocluster
8cb663799d83: Pulling fs layer
acf42f005a15: Pulling fs layer
b25249291828: Pulling fs layer
...

Now I understand that because the format of the image it is hard to determine if the name is a / or / but if the registry reports a 403/401 and the image isn't found on the public hub then rather than a 404 it would make it much much clearer what the problem is if it said 'you need to log in'.

dmp42 commented 8 years ago

Disclosing the existence of content that is unauthorized is considered bad security.

Try it with Github: create a private github repo, and try to access it while not logged-in. You will get a 404, not a 403.

ashb commented 8 years ago

That is all well and good if the registry was returning a 404 in this case but it's not – docker is being given a HTTP 403401 or status code and it should respect that and act accordingly.

The only thing we are disclosing here to an unauthenticated user is that there is a registry present which is our decision to make. If docker gets told you need to log in it would certainly be much more user friendly and a time saver. I've had 6 team members come up to me over the last three days asking why the registry is broken after we introduced basic auth.

ashb commented 8 years ago

I can't test for certain that our v2 registry is actually returning a 401 right now but I can test on a v1 registry and that is returning a 401 and docker asks for a login. Is it just the code path for v2 that has this behaviour?

ashb commented 8 years ago

Confirmed - the registry gets a 401 on any url at all:

$ curl --fail http://our-registry.tld/v2/_catalog
curl: (22) The requested URL returned error: 401 Unauthorized
$ curl --fail http://our-registry.tld/v2/i-dont-exist-as-an-endpoint
curl: (22) The requested URL returned error: 401 Unauthorized