Docker Bearer Token Anonymous Access Username

[ls5302]

Should the Docker Bearer Token work with any configure user for anonymous access, or does it require the username in anonymous access to be set to anonymous (the built in user).

What I have observer:

• If I use the built in anonymous user all is well.
• If I create a new user, e.g. foo, and give them nx-anonymous role I receive ‘authentication required’.
• If I modify the anonymous user and change their role to only access certain repo all is good.

If changing the username in anonymous access can break anonymous docker access should we be able to change it?

I had brief look at the code and 'anonymous' does appear to be hardcoded in the BearerTokenRealm class.

[mrprescott]

The Docker CLI has this unfortunate behavior where it always tries to log in so, despite Repository having anonymous mode turned on, the CLI pre-emptively tries and fails authentication. To get around this, there's a setting on the repository level called "Allow docker anonymous pull" that will allow any credentials to pass login.

[ls5302]

Allow anonymous pull is ticked in the repo but only works with the build in Anonymous account - maybe not surprising as new user accounts cannot be created without a password.