Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to connect to registry with token auth #47

Closed
Crocmagnon opened this issue Aug 6, 2018 · 9 comments
Closed

Unable to connect to registry with token auth #47

Crocmagnon opened this issue Aug 6, 2018 · 9 comments
Labels
question

Comments

@Crocmagnon
Copy link

Crocmagnon commented Aug 6, 2018
edited
Loading

Hi,
I'm unable to connect to my registry using either the static option with URL, with REGISTRY_URL or the dynamic one.

I'm always getting a "toast" with the response from the server:

{
    "errors": [
        {
            "code": "UNAUTHORIZED",
            "message": "authentication required",
            "detail": null
        }
    ]
}

Here's a screenshot:
screenshot_20180806_160232

Things to note:

  • Both run inside a company network, not accessible from the internet
  • The registry works fine with authentication. I can docker login stable.registry.example.com without any issue.
  • I tried to use the demo version, it didn't work either. I got an error saying to check my connectivity and set the Access-Control-Allow-Origin header to https://joxit.github.com (which I did).
  • Both services are served through Traefik, which handles the routing and the TLS part.

Here's my docker-compose.yml

version: '3.5'

services:
  ui:
    image: joxit/docker-registry-ui:static
    environment:
      #- URL=https://stable.registry.example.com
      - REGISTRY_URL=http://registry:5000
    networks:
      - traefik-net
    deploy:
      placement:
        constraints:
          - node.role == worker
          - node.platform.os == linux
      update_config:
        order: start-first
      labels:
        - "traefik.port=80"
        - "traefik.docker.network=traefik-net"
        - "traefik.enable=true"
        - "traefik.frontend.rule=Host:ui.registry.example.com"
        - "traefik.backend.loadbalancer.stickiness=true"
        - "traefik.backend.loadbalancer.method=drr"
  registry:
    image: registry:2
    networks:
      - traefik-net
    volumes:
      - /mnt/registry:/var/lib/registry
    env_file: env.env  # The env file only contains the HTTP secret key
    deploy:
      placement:
        constraints:
          - node.role == worker
          - node.platform.os == linux
          - node.labels.registry == true
      update_config:
        order: start-first
      labels:
        - "traefik.port=5000"
        - "traefik.docker.network=traefik-net"
        - "traefik.enable=true"
        - "traefik.frontend.rule=Host:edge.registry.example.com,stable.registry.example.com"
        - "traefik.backend.loadbalancer.stickiness=true"
        - "traefik.backend.loadbalancer.method=drr"
    configs:
      - source: docker_auth.pem
        target: /docker_auth.pem
      - source: registry_config.yml
        target: /etc/docker/registry/config.yml

networks:
  traefik-net:
    external: true

configs:
  docker_auth.pem:
    file: ./docker_auth.pem
  registry_config.yml:
    file: ./registry_config.yml
    name: registry_config_v${REGISTRY_CONFIG_VERSION}.yml

and my registry_config.yml

version: 0.1
log:
  fields:
    service: registry
storage:
  delete:
    enabled: true
  cache:
    blobdescriptor: inmemory
  filesystem:
    rootdirectory: /var/lib/registry
http:
  addr: :5000
  headers:
    X-Content-Type-Options: [nosniff]
    Access-Control-Allow-Origin: ['https://ui.registry.example.com']
    Access-Control-Allow-Methods: ['HEAD', 'GET', 'OPTIONS', 'DELETE']
    Access-Control-Allow-Headers: ['Authorization']
    Access-Control-Max-Age: [1728000]
    Access-Control-Allow-Credentials: [true]
    Access-Control-Expose-Headers: ['Docker-Content-Digest']
health:
  storagedriver:
    enabled: true
    interval: 10s
    threshold: 3
auth:
  token:
    rootcertbundle: /docker_auth.pem
    realm: "https://stable.docker-auth.example.com/auth"
    service: "Docker registry"
    issuer: "example docker auth server"
@Joxit
Copy link
Owner

Joxit commented Aug 7, 2018

Hello, thank you for your issue.

I'm sorry but the UI can only use basic authentication and not authentication by token 😕

auth:
  htpasswd:
    realm: basic-realm
    path: /etc/docker/registry/htpasswd

Maybe one day this will be available.

Basic auth can be a security issue sometimes (when you use it with docker login).
I suggest you connect to your registry with token and have a basic-auth connection for the UI only with restricted rights (only GET/OPTION/HEADER methods on /v2/, ).

I hope this will help you

@Crocmagnon
Copy link
Author

Crocmagnon commented Aug 7, 2018
edited
Loading

Thanks for your answer ☺️
Sadly that's a no-go for us as we need LDAP auth. Do you happen to know of a web UI that would allow to use token auth with an external provider ? I saw https://hub.docker.com/r/hyper/docker-registry-web/ but it seems to include the authentication server and it's too complex for our use case.

I also suggest to edit the readme in order to reflect the fact that only basic auth is supported and make it explicit that token auth is not 😉

@Crocmagnon Crocmagnon changed the title Unable to connect to registry: getting toast with server response Unable to connect to registry with token auth Aug 7, 2018
@Joxit
Copy link
Owner

Joxit commented Aug 12, 2018

You are welcome.

Sorry but I don't know any other alternatives to do it 😕 good luck to find what you are looking for.

@Joxit Joxit added the question label Aug 12, 2018
@Joxit Joxit closed this as completed Nov 29, 2018
@mboussaa
Copy link

mboussaa commented Oct 30, 2020
edited
Loading

@Joxit Hello, following this issue, I guess token based authentification is still not supported. You said previously that we can set the "basic-auth connection for the UI only with restricted rights (only GET/OPTION/HEADER"

My question is how to set these options "GET/OPTION/HEADER" with a joxit/docker-registry-ui:static image?
BR.

@Joxit
Copy link
Owner

Joxit commented Nov 1, 2020

Hi @mboussaa, I wrote a new example for you here. I'm using the UI as a proxy to the registry with some access right for read/write.

Is that what you were looking for?

@vitalybrandes
Copy link

@Joxit
Using those can i do both, the token auth to registry and basic-auth to ui?
If so, can you please specify how?

thanks allot.

@vitalybrandes
Copy link

Thanks for your answer ☺️
Sadly that's a no-go for us as we need LDAP auth. Do you happen to know of a web UI that would allow to use token auth with an external provider ? I saw https://hub.docker.com/r/hyper/docker-registry-web/ but it seems to include the authentication server and it's too complex for our use case.

I also suggest to edit the readme in order to reflect the fact that only basic auth is supported and make it explicit that token auth is not 😉

@Crocmagnon
Did you find any solution?

@Crocmagnon
Copy link
Author

Did you find any solution?

@vitalybrandes sorry, I left this job more than two years ago and I can't remember what we ended up with. Also, the landscape must have changed a lot since then 😕

@Joxit
Copy link
Owner

Joxit commented Apr 13, 2021

Hi there, in 2.0.0 token auth will be avalable via keycloak/docker token auth v2 protocol 🚀 checkout #167 and the new example https://github.com/Joxit/docker-registry-ui/tree/main/examples/token-auth-keycloak

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@Crocmagnon @Joxit @mboussaa @vitalybrandes