Comments (10)
Right, I have not found any POST or DELETE for catalog
Still it's not correct to request "push" permission for GET
I'll open an issue to docker then.
from docker-registry-browser.
For the 2nd issue there is workaround, to configure just catalog ACL for full access:
- match: {account: "", type: "registry", name: "catalog"}
actions: ["*"]
comment: "Anonymous may work with catalog"
Still I do not understand, is it registry limitation (then we need to open an issue for docker distribution), or the browser does something "extra" requiring full permissions?
from docker-registry-browser.
Hi @akrasnov-drv,
Thank you for a useful gui, we've been using it for some time with our internal registry.
Thanks for the nice feedback 🙇♂️
Please fix redirect error to at least show meaningful error mesage
Will have a look on that when I have some spare time.
You're right - currently it's not very self explaining what is going on in case of failing token auth.
Please consider fixing it to work with r/o permissions, the browser should be able to show info without push permission. Maybe there is some other ACL level besides "pull" and "push"?
That would be of course better. Just to be honest: I don't have much experience with the token auth and ACLs as I don't use it by myself. I just added that feature since it was requested and was glad to get it working with kind of a "blind implementation".
For the 2nd issue there is workaround, to configure just catalog ACL for full access:
[...]
Still I do not understand, is it registry limitation (then we need to open an issue for docker distribution), or the browser does something "extra" requiring full permissions?
I think it is not actually under the control of the registry browser.
At the moment the it simply tries to call the API and depending on the "401 Unauthorized" response it either sends the configured basic credentials or obtains a token from the auth service it was delegated to and uses this for the following calls then.
from docker-registry-browser.
Hi @klausmeyer ,
Thank you for your reply.
I believe fixing redirect problem should be quite simple. No reason to do more than 1 call to auth URL. If you get Unathorized again, just show error page. You may need some kind of session to control it, but you should know how to do it better than me.
Regarding API, what call do you use to get list of images? I see that call to get image tags and properties works fine with r/o access, the only problem is the browser home page that should show list of images.
from docker-registry-browser.
Regarding API, what call do you use to get list of images?
It's using GET /v2/_catalog
.
That's probably why the workaround from your 2nd comment is working.
Maybe it's even the right thing to do and not just a workaround - as far as I know the catalog itself doesn't have any write actions so it should be fine to give it full access there.
from docker-registry-browser.
Just in case
distribution/distribution#3165
from docker-registry-browser.
Docker guy considers it as a feature not bug, so the only thing you can do about it is to add relevant comment to your Readme/docs.
And the only problem left is "The page isn’t redirecting properly"
from docker-registry-browser.
@akrasnov-drv I did manage to work on a improvement regarding that issue.
It's available as klausmeyer/docker-registry-browser:handle-token-issues
image (temporary tag).
Would be awesome if you could give it a try before I merge & release it.
from docker-registry-browser.
Hi @klausmeyer,
I confirm the redirect issue is fixed.
Just maybe worth changing session ttl, at least if browser is not configured for auth (I mean auth to enter the browser). Otherwise, in case of failure in getting proper token I need to manually remove cookie after docker auth (permission) is fixed. I think setting session time to something between 5 sec and 1 min would be good here.
Thank you for fixing.
from docker-registry-browser.
Thanks for having a look.
Think I'll keep the session as it is - it's mentioned in the error page to clear the cookies after the issue has been resolved.
Best, Klaus
from docker-registry-browser.
Related Issues (20)
- Authenticate User Access HOT 4
- add a more compact "skin"
- Web UI Login HOT 2
- read/write support by nginx
- Can't browse OCI images HOT 6
- cannot delete tags with cesanta/docker_auth HOT 6
- No Java Script Runtime in Container HOT 12
- ExecJS can't find a runtime HOT 23
- Document using the app in a subPath HOT 1
- Version sorting HOT 1
- This crashes on my server HOT 3
- Tag list cannot be configured to sort by `version` HOT 1
- add sort by push date HOT 1
- Cannot read *.key file in 1.6.0 docker image HOT 4
- Error with multi-platform images HOT 10
- Token based auth with Keycloak as IDP HOT 6
- Third page is not loaded HOT 4
- Error Displaying Tag Info HOT 1
- no reply to browser when using token authentication via keycloak HOT 8
- Feature request - Policy to remove Old image HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from docker-registry-browser.