Giter VIP home page Giter VIP logo

Comments (12)

klausmeyer avatar klausmeyer commented on May 30, 2024 1

I had the same issue during my tests.

Can you please check the logs of the auth server and the registry itself?
In my case I wasn't using the same value for the issuer in both places. After fixing this I also had to delete my cookies to get rid of the token issued with the wrong issuer attribute.

My (working) config 
# files/auth.yaml

server:
  addr: ":5001"
  certificate: "/server.pem"
  key: "/server.key"

token:
  issuer: "www.example.com"  # Must match issuer in the Registry config.
  expiration: 900

users:
  # Password is specified as a BCrypt hash. Use `htpasswd -nB USERNAME` to generate.
  "admin":
    password: "$2y$05$LO.vzwpWC5LZGqThvEfznu8qhb5SGqvBSWY1J3yZ4AxtMRZ3kN5jC"  # badmin
  "test":
    password: "$2y$05$WuwBasGDAgr.QCbGIjKJaep4dhxeai9gNZdmBnQXqpKly57oNutya"  # 123

acl:
  - match: {account: "admin"}
    actions: ["*"]
    comment: "Admin has full access to everything."
  - match: {account: "test"}
    actions: ["pull"]
    comment: "User \"test\" can pull stuff."

# docker-compose.yaml

version: '3'

services:

  auth:
    image: cesanta/docker_auth:1
    command: --v=2 --alsologtostderr /auth.yaml
    volumes:
      - './files/auth.yaml:/auth.yaml:ro'
      - './files/server.pem:/server.pem:ro'
      - './files/server.key:/server.key:ro'
    ports:
      - '5001:5001'

  registry:
    image: registry:2
    environment:
      - 'REGISTRY_AUTH_TOKEN_REALM=https://10.8.6.252:5001/auth'
      - 'REGISTRY_AUTH_TOKEN_SERVICE=Docker registry'
      - 'REGISTRY_AUTH_TOKEN_ISSUER=www.example.com'
      - 'REGISTRY_AUTH_TOKEN_ROOTCERTBUNDLE=/server.pem'
      - 'REGISTRY_HTTP_TLS_CERTIFICATE=/server.pem'
      - 'REGISTRY_HTTP_TLS_KEY=/server.key'
    volumes:
      - './files/server.pem:/server.pem:ro'
      - './files/server.key:/server.key:ro'
    ports:
      - '5000:5000'

  frontend:
    image: klausmeyer/docker-registry-browser:latest
    environment:
      - 'DOCKER_REGISTRY_URL=https://registry:5000'
      - 'NO_SSL_VERIFICATION=true'
      - 'TOKEN_AUTH_USER=admin'
      - 'TOKEN_AUTH_PASSWORD=badmin'
      - 'SSL_CERT_PATH=/server.pem'
      - 'SSL_KEY_PATH=/server.key'
    volumes:
      - './files/server.pem:/server.pem:ro'
      - './files/server.key:/server.key:ro'
    ports:
      - '8443:8443'

from docker-registry-browser.

jarnix avatar jarnix commented on May 30, 2024 1

Thank you very much for your test and your answer! I finally set an account with full "*" access and added a basic auth in a nginx reverse proxy (the only thing I had to add in the nginx proxy was a Header set Authorization "" or it was going in a 302 loop). I will maybe report an issue on the auth github project.

Cheers :)

from docker-registry-browser.

klausmeyer avatar klausmeyer commented on May 30, 2024

Looks like docker_auth project improved their OAuth2 compatibility by changing their token response from token attribute to access_token.

I'll push a fix to support both.

from docker-registry-browser.

klausmeyer avatar klausmeyer commented on May 30, 2024

@lp35 the fix is now available in latest tag.

Please let me know if it works for you. I'll then publish a new release.

from docker-registry-browser.

lp35 avatar lp35 commented on May 30, 2024

Hi,

Thanks for quick replying. I've got the following error in my browser:

The page isn’t redirecting properly

Firefox has detected that the server is redirecting the request for this address in a way that will never complete.

Log from the docker-registry-browser container (seems to loop few seconds, then browser stop the request):

.
.
.
I, [2019-12-31T14:58:55.085320 #1]  INFO -- request: GET https://MYDOMAIN.pro/v2/_catalog?n=100
D, [2019-12-31T14:58:55.085408 #1] DEBUG -- request: User-Agent: "Faraday v0.17.1"
Authorization: "Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IjM1WDY6RVYyRjpYQ0JaOkNEWkM6WERXVjpJNEJVOldBVFU6UFM2RzpYSU1ZOk5DTkY6RE1aRjpFS0wyIn0.eyJpc3MiOiJBY21lIGF1dGggc2VydmVyIiwic3ViIjoiZHh5eiIsImF1ZCI6IkRvY2tlciByZWdpc3RyeSIsImV4cCI6MTU3NzgwNTIzNSwibmJmIjoxNTc3ODA0MzI1LCJpYXQiOjE1Nzc4MDQzMzUsImp0aSI6IjIyNzIzMzAxOTEzMTAxNTM5NTYiLCJhY2Nlc3MiOlt7InR5cGUiOiJyZWdpc3RyeSIsIm5hbWUiOiJjYXRhbG9nIiwiYWN0aW9ucyI6W119XX0.iQACWKf6jo4msxKRgiFFY5dKAnYc8_Rr90-jGqyiyoj88p1A9IxCK1eQGqj9YVPb9mqhfQt89z6uMfRlFdNGsP9NvgbMZxuTlTNt4jINbG9jss3O6eoL0PvCPLZywVSwAx9C1x36T0STX5vIxXSN26IYuYQGDZqo5siNybrBJ5wTuLaIWow5GOQ6C3cLA8XbOGSdBgYxEbu6BIqe34V7DyzN_OFWTK4qxmgCCBEWIiwinnAJqks2dYSyKx4zFhHi1Sx5zXRYQ27-ty-boJL92Q4vSjSylG3_Kt0wzWkLwpjCu_3RYBLyKF1hLdeuL4IqFjdKqAN0hbZO6kDRYvnIOw"
I, [2019-12-31T14:58:55.144107 #1]  INFO -- request: GET https://MYDOMAIN.pro:5001/auth?client_id=docker-registry-browser&offline_token=true&scope=registry%3Acatalog%3A%2A&service=Docker+registry
D, [2019-12-31T14:58:55.144205 #1] DEBUG -- request: User-Agent: "Faraday v0.17.1"
Authorization: "Basic ZHh5ejpjcmF6eWFhbTM1NzAw"
I, [2019-12-31T14:58:55.213751 #1]  INFO -- response: Status 200
D, [2019-12-31T14:58:55.213825 #1] DEBUG -- response: content-type: "application/json"
date: "Tue, 31 Dec 2019 14:58:55 GMT"
content-length: "761"
connection: "close"
I, [2019-12-31T14:58:55.214118 #1]  INFO -- : [28dcb16e-f77f-4ee0-9f67-880735949860] Redirected to http://MYDOMAIN.pro:5004/
I, [2019-12-31T14:58:55.214237 #1]  INFO -- : [28dcb16e-f77f-4ee0-9f67-880735949860] Completed 302 Found in 130ms (Allocations: 2484)
I, [2019-12-31T14:58:55.221062 #1]  INFO -- : [9679fd35-80ce-4360-bd1a-b045f322f320] Started GET "/" for 192.168.124.51 at 2019-12-31 14:58:55 +0000
I, [2019-12-31T14:58:55.221927 #1]  INFO -- : [9679fd35-80ce-4360-bd1a-b045f322f320] Processing by RepositoriesController#index as HTML
I, [2019-12-31T14:58:55.223343 #1]  INFO -- request: GET https://MYDOMAIN.pro/v2/_catalog?n=100
D, [2019-12-31T14:58:55.223521 #1] DEBUG -- request: User-Agent: "Faraday v0.17.1"
Authorization: "Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IjM1WDY6RVYyRjpYQ0JaOkNEWkM6WERXVjpJNEJVOldBVFU6UFM2RzpYSU1ZOk5DTkY6RE1aRjpFS0wyIn0.eyJpc3MiOiJBY21lIGF1dGggc2VydmVyIiwic3ViIjoiZHh5eiIsImF1ZCI6IkRvY2tlciByZWdpc3RyeSIsImV4cCI6MTU3NzgwNTIzNSwibmJmIjoxNTc3ODA0MzI1LCJpYXQiOjE1Nzc4MDQzMzUsImp0aSI6IjMwNDAwNzU1MzA5Mzk4Nzk4MTAiLCJhY2Nlc3MiOlt7InR5cGUiOiJyZWdpc3RyeSIsIm5hbWUiOiJjYXRhbG9nIiwiYWN0aW9ucyI6W119XX0.g0GeiRRtBck_HgfhC0mFzTlDX3EezNfF8DJWkdGc8E2sIA-rsai_CgN-eztb_kGdui5S0rqnMdpnoZvjq5kG19B8chEhg1Aq8Jj2VkseeyewkpV1PTwxr8P82MAoWg0K5v3dSo_fgoyPp0fZkuqGFYw_qWQoY0oYPDfG70onSjaSWGVpn4ujNh4DXREjSdqXvO-76cPtTUtnUNMc0rDVUA4AST96A0w0spCHcjdCSVMw8qj9O3WkbCXuPrCBRiLrrcGUenRmGI7l7U56fDLTlokj774KoCTABKIUCpMDC1zqN29Dc8LXfGibLdgRnwV0amnudfVyp3rKyF1BN18Bcw"
I, [2019-12-31T14:58:55.282025 #1]  INFO -- request: GET https://MYDOMAIN.pro:5001/auth?client_id=docker-registry-browser&offline_token=true&scope=registry%3Acatalog%3A%2A&service=Docker+registry
D, [2019-12-31T14:58:55.282091 #1] DEBUG -- request: User-Agent: "Faraday v0.17.1"
Authorization: "Basic ZHh5ejpjcmF6eWFhbTM1NzAw"
I, [2019-12-31T14:58:55.346089 #1]  INFO -- response: Status 200
D, [2019-12-31T14:58:55.346318 #1] DEBUG -- response: content-type: "application/json"
date: "Tue, 31 Dec 2019 14:58:55 GMT"
content-length: "761"
connection: "close"
I, [2019-12-31T14:58:55.346939 #1]  INFO -- : [9679fd35-80ce-4360-bd1a-b045f322f320] Redirected to http://MYDOMAIN.pro:5004/
I, [2019-12-31T14:58:55.347103 #1]  INFO -- : [9679fd35-80ce-4360-bd1a-b045f322f320] Completed 302 Found in 125ms (Allocations: 2496)

from docker-registry-browser.

lp35 avatar lp35 commented on May 30, 2024

It seems that I can browse a specific image, like

http://MYDOMAIN:5004/repo/test_image/

but I cannot access to the root of the website (getting the error above).

from docker-registry-browser.

lp35 avatar lp35 commented on May 30, 2024

Working like a charm. Thanks!

from docker-registry-browser.

klausmeyer avatar klausmeyer commented on May 30, 2024

Nice πŸŽ‰

from docker-registry-browser.

lp35 avatar lp35 commented on May 30, 2024

Hi there!

I think I have another bug: it seems that I cannot delete tags/images...

from docker-registry-browser.

klausmeyer avatar klausmeyer commented on May 30, 2024

Just to be sure: Did you enable that feature in the registry itself?
There's a setting for it: https://docs.docker.com/registry/configuration/#delete

Usually when this isn't activated you see in the frontend logs a HTTP 403 error
returned from the registry's API.

Otherwise feel free to create a new issue for this topic 😁

from docker-registry-browser.

jarnix avatar jarnix commented on May 30, 2024

Hi,
I'm also using cesanta/docker_auth, when I try to use the config that is in the example (https://github.com/cesanta/docker_auth/blob/master/examples/reference.yml) :

- match: {account: "/.+/", type: "registry", name: "catalog"}
    actions: ["*"]
    comment: "Logged in users can query the catalog."

My browser gets stuck in a 302 loop and the registry browser's output is filling up. It seems that the auth match (type: registry + name: catalog ?) does not let the registry browser get the catalog. The only way I could get this to work is to allow "*" on the account I use for the registry browser.

By any chance, do you know what is the setting to use in the docker_auth image's auth_config.yml to allow the browsing of the registry ?

from docker-registry-browser.

klausmeyer avatar klausmeyer commented on May 30, 2024

Hey,

I've just updated my test setup with that ACL and in my case I can successfully access the first page which is listing all the images. After clicking on a image I get the behaviour described by you (302 loop).

My supposition is that the ACL really just allows to browse the catalog (e.g. /v2/_catalog endpoint) but then the permission to show the image details are missing (e.g. /v2/{image}/tags/list) is missing.

As I'm not using the token based auth on my own I don't have enough experience to support with that ACL stuff - sorry.

Best Klaus

from docker-registry-browser.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    πŸ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. πŸ“ŠπŸ“ˆπŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❀️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.