Bug: "The page isn’t redirecting properly" when full access permissions are not provided about docker-registry-browser HOT 10 CLOSED

Right, I have not found any POST or DELETE for catalog
Still it's not correct to request "push" permission for GET
I'll open an issue to docker then.

from docker-registry-browser.

For the 2nd issue there is workaround, to configure just catalog ACL for full access:

  - match: {account: "", type: "registry", name: "catalog"}
    actions: ["*"]
    comment: "Anonymous may work with catalog"

Still I do not understand, is it registry limitation (then we need to open an issue for docker distribution), or the browser does something "extra" requiring full permissions?

from docker-registry-browser.

Hi @akrasnov-drv,

Thank you for a useful gui, we've been using it for some time with our internal registry.

Thanks for the nice feedback 🙇‍♂️

Please fix redirect error to at least show meaningful error mesage

Will have a look on that when I have some spare time.
You're right - currently it's not very self explaining what is going on in case of failing token auth.

Please consider fixing it to work with r/o permissions, the browser should be able to show info without push permission. Maybe there is some other ACL level besides "pull" and "push"?

That would be of course better. Just to be honest: I don't have much experience with the token auth and ACLs as I don't use it by myself. I just added that feature since it was requested and was glad to get it working with kind of a "blind implementation".

For the 2nd issue there is workaround, to configure just catalog ACL for full access:
[...]
Still I do not understand, is it registry limitation (then we need to open an issue for docker distribution), or the browser does something "extra" requiring full permissions?

I think it is not actually under the control of the registry browser.

At the moment the it simply tries to call the API and depending on the "401 Unauthorized" response it either sends the configured basic credentials or obtains a token from the auth service it was delegated to and uses this for the following calls then.

from docker-registry-browser.

Hi @klausmeyer ,
Thank you for your reply.

I believe fixing redirect problem should be quite simple. No reason to do more than 1 call to auth URL. If you get Unathorized again, just show error page. You may need some kind of session to control it, but you should know how to do it better than me.

Regarding API, what call do you use to get list of images? I see that call to get image tags and properties works fine with r/o access, the only problem is the browser home page that should show list of images.

from docker-registry-browser.

Regarding API, what call do you use to get list of images?

It's using GET /v2/_catalog.

That's probably why the workaround from your 2nd comment is working.
Maybe it's even the right thing to do and not just a workaround - as far as I know the catalog itself doesn't have any write actions so it should be fine to give it full access there.

from docker-registry-browser.

Just in case
distribution/distribution#3165

from docker-registry-browser.

Docker guy considers it as a feature not bug, so the only thing you can do about it is to add relevant comment to your Readme/docs.
And the only problem left is "The page isn’t redirecting properly"

from docker-registry-browser.

@akrasnov-drv I did manage to work on a improvement regarding that issue.

It's available as klausmeyer/docker-registry-browser:handle-token-issues image (temporary tag).

Would be awesome if you could give it a try before I merge & release it.

from docker-registry-browser.

Hi @klausmeyer,
I confirm the redirect issue is fixed.
Just maybe worth changing session ttl, at least if browser is not configured for auth (I mean auth to enter the browser). Otherwise, in case of failure in getting proper token I need to manually remove cookie after docker auth (permission) is fixed. I think setting session time to something between 5 sec and 1 min would be good here.
Thank you for fixing.

from docker-registry-browser.

Thanks for having a look.

Think I'll keep the session as it is - it's mentioned in the error page to clear the cookies after the issue has been resolved.

Best, Klaus

from docker-registry-browser.