docker_auth icon indicating copy to clipboard operation
docker_auth copied to clipboard

Published 20 hours ago verified publisher icon cesanta

Missing authn rule for "Pull through cache" registry use case

Open catsem opened this issue 8 years ago • 4 comments
trafficstars

While I was trying to use the auth_server in the "pull through cache" registry use case (https://docs.docker.com/registry/recipes/mirror/) I faced the problem that the docker client cannot authorize.

Docker login is successful. Then I try "docker pull ubuntu" -> docker agent asks private registry (as pull through cache) -> Error in auth_server:

I0428 13:01:48.372414    8881 server.go:370] Auth request: {:@192.168.1.25:41854 [{repository library/ubuntu [pull]}]}
I0428 13:01:48.372537    8881 server.go:217] Authn static  -> false, map[], did not match any rule
W0428 13:01:48.372552    8881 server.go:232] {:@192.168.1.25:41854 [{repository library/ubuntu [pull]}]} did not match any authn rule
W0428 13:01:48.372571    8881 server.go:378] Auth failed: {:@192.168.1.25:41854 [{repository library/ubuntu [pull]}]}

I used this acl:

  - match: {account: "admin"}
    actions: ["*"]
    comment: "Admin has full access to everything."

Because I noticed that the username is not submitted by docker client in this case I also tried an ip-based acl but it doesn't match either...

  - match: {ip: "192.168.1.0/24"}
    actions: ["pull"]
    comment: "Allow pull from docker net."

When I do a docker pull registry.mydomain.com/myimage the authentication is working fine.

I guess the reason why this happens is because there is no authn rule for this repository name "library". Can you help me how to add the right rule? Thanks in advance.

Best catsem

catsem avatar Apr 28 '17 13:04 catsem

Please tell me if I did something wrong in the issue description. Or is this targeted use case impossible with cesanta/docker_auth?

catsem avatar May 05 '17 08:05 catsem

I am also experiencing this issue. Please address.

WSLUser avatar Aug 14 '19 15:08 WSLUser

Are you able to temporarily set the acl to allow all, that would likely narrow down the issue to see if auth_server is able to support pull through cache.

techknowlogick avatar Jan 06 '21 22:01 techknowlogick

Hi @techknowlogick

I am also experiencing an issue running this setup. I also tried by setting ACL to allow all, but same result.

This is my ACL configuration to allow all if thatś correct:

acl:
  - match: { }
    actions: [ "*" ]
    comment: "Logged in users have full access."

Hope it helps.

noglitchyo avatar Dec 17 '21 15:12 noglitchyo