Comments (3)
dmage
commented on July 19, 2024
There is the endpoint /openshift/token. You should get it from the Www-Authenticate header:
$ curl -I 'https://registry.openshift.example.com/v2/' | grep ^Www-Authenticate:
Www-Authenticate: Bearer realm="https://registry.openshift.example.com/openshift/token"
And you should follow this protocol if you want to be compatible with other registries (and with future versions of the integrated registry). But the current implementation just checks the token and returns it back to the client, so it doesn't have the ability to limit the scope of the token. If you want to have a token with a limited scope, you should create another user and give it different set of permissions using RBAC.
from image-registry.
lcnsir
commented on July 19, 2024
@dmage .thanks for your help,
The token service is working on my cluster
curl -k -s -u admin:Yp6SF3zMcoJamundefined0QlJkPmIUmOVXX4ZcBnOM8p2FW9PCA "https://docker-registry.default.svc:5000/openshift/token"
{"access_token":"Yp6SF3zMcoJamundefined0QlJkPmIUmOVXX4ZcBnOM8p2FW9PCA","token":"Yp6SF3zMcoJamundefined0QlJkPmIUmOVXX4ZcBnOM8p2FW9PCA"}
but the WWW-Authenticate header access failed
curl -k -s -H "WWW-Authorization: Bearer Yp6SF3zMcoJamundefined0QlJkPmIUmOVXX4ZcBnOM8p2FW9PCA" "https://docker-registry.default.svc:5000/v2/openshift/rhpam71-businesscentral-indexing-openshift/manifests/1.0"
{"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":[{"Type":"repository","Class":"","Name":"openshift/rhpam71-businesscentral-indexing-openshift","Action":"pull"}]}]}
[ec2-user@still-piranha-master ~]$ curl -k -s
Then I try it successfully to call the registry by Authenticate header
[ec2-user@still-piranha-master ~]$ curl -k -s -H "Authorization: Bearer Yp6SF3zMcoJamundefined0QlJkPmIUmOVXX4ZcBnOM8p2FW9PCA" "https://docker-registry.default.svc:5000/v2/openshift/rhpam71-businesscentral-indexing-openshift/manifests/1.0"
{
"schemaVersion": 1,
"name": "openshift/rhpam71-businesscentral-indexing-openshift",
"tag": "1.0",
"architecture": "amd64",
"fsLayers": [
{
"blobSum": "sha256:f3333ec81dd28ef84823693def1894b8ea085924da4809c8e91f2fd9ea9878c9"
},
{
"blobSum": "sha256:7a92edd89a4672cf1334075b395bb804e2600f9a62207a0428e78e3dd770c708"
},
{
"blobSum": "sha256:e3479b324492384d3a7fc5420f62bbf4e7cb0a161325c7cda4d0cbfb577d70ff"
},
{
"blobSum": "sha256:8d9c78c7f9887170d08c57ec73b21e469b4120682a2e82883217535294878c5d"
},
{
"blobSum": "sha256:e17262bc23414bd3c0e9808ad7a87b055fe5afec386da42115a839ea2083d233"
},
{
"blobSum": "sha256:378837c0e24ad4a2e33f0eb3d68dc0c31d9a7dbbd5357d4acafec1d3a7930602"
}
So the Authenticate header is the one actually works ?
from image-registry.
dmage
commented on July 19, 2024
WWW-Authorization is the header that the client should expect to receive from the server.
Authorization is the header that client should use to sent its credentials.
from image-registry.
Related Issues (20)
- Request ID is inconsistent HOT 4
- Update regions HOT 1
- Problems with non AWS-S3 storage backend HOT 1
- Future Release Branches Frozen For Merging | branch:release-4.17 branch:release-4.18 HOT 3
- is it possible to add "app Item" to Catalog??? HOT 3
- error getting secrets: <nil> HOT 1
- redirect parameter not working HOT 10
- registry fail to start (4.2-2019-08-08-070705) HOT 3
- Setup golangci-lint
- openshift create ca server certificate for docker registry HOT 2
- Notifications/Webhooks for repository notifications HOT 2
- OCP 4.2 ImageRegistry fails with nfs-storage on s390x HOT 7
- Openshift 4.3 - Getting timeout trying to log into image-registry using podman HOT 3
- [Need help]How to get a username/password (do not refresh)who has the admin permission for openshift registry HOT 5
- Failed to create image registry with Swift storage on s390x HOT 7
- CRC Image Registry docker login issue on Windows - 127.0.0.1:80 connection refused
- allowedRegistriesForImport Behavior HOT 4
- DELETE operation is unsupported HOT 1
- OKD doc link do not work HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from image-registry.