Joxit
UI doesn't ask for user and password when using token auth
When using cesanta/docker_auth, the UI doesn't ask for user and password for image deletion when anonymous read access is allowed to the registry.
I suggest to ask and add credentials to auth server request when bearer is passed to registry but it responds with 401.
Before here:
https://github.com/Joxit/docker-registry-ui/blob/1ca1a1a20769c93b11cdbaec282ee3d4683d9d94/src/components/docker-registry-ui.riot#L130
Hi, thank you for using my project and submitting issues.
Could you share your minimum configuration so I can reproduce your issue?
I am facing similar issues with GitLab as auth provider. My config is something like this:
auth:
token:
realm: https://gitlab.example.com/jwt/auth
service: container_registry
issuer: gitlab-issuer
rootcertbundle: /root/certs/certbundle
I feel like Juan is right and there should be a way to catch the 401 and display an input box. Once the user has submitted their auth providers credentials, and it responded with the bearer token, it would be a matter of using it for the registry requests in a similar way as you do with Basic auth.
I'm also trying to set up the UI with https://github.com/cesanta/docker_auth as the token auth service and saw this behaviour.
@juan-ferrer-toribio did you manage to get the UI otherwise working with cesanta/docker_auth, without the anonymous user? I'm seeing the browser's HTTP basic auth dialog several times on each page -- i.e. once for every so-and-so ajax requests. I don't have the nginx proxy described in the example https://github.com/Joxit/docker-registry-ui/tree/main/examples/token-auth-keycloak in place, instead only a TLS-terminating reverse proxy that sends the domain's /v2, /ui and /auth paths to the registry, UI and docker_auth containers respectively. So that might somehow be confusing the browser.
@Joxit this is not quite a full minimum config, but what triggers the problem the OP is describing seems to be that the anonymous user (identified by username '', commented out below) is present in cesanta/docker_auth's auth_config.yml file:
# ...
users:
# '': {}
foo:
pass: "$2b$12$abcxyz..."
bar:
pass: "$2b$12$abcxyz..."
# ...
Hi @ppar ,
Without anonymous user I got it working but I need anonymous read access since my registry is public, but also I need authenticated delete access.
@Joxit I've deployed UI with bare standard config using Helm, nothing special:
ui:
image: joxit/docker-registry-ui:2.5.6
title: "My registry"
dockerRegistryUrl: https://registry.mydomain.org
registrySecured: true
deleteImages: true
ingress:
enabled: true
host: registry.mydomain.org
registry:
enabled: true
image: registry:2.8.3
dataVolume:
persistentVolumeClaim:
claimName: registry-data
auth:
token:
autoredirect: false
issuer: "docker-auth"
realm: "https://registry.mydomain.org/auth"
service: "docker-registry"
rootcertbundle: /rootcertbundle.pem
ingress:
enabled: true
host: registry.mydomain.org
annotations:
nginx.ingress.kubernetes.io/proxy-body-size: '0'
With the following cesanta/docker_auth Helm config.
image:
repository: cesanta/docker_auth
tag: 1.13.0
configmap:
data:
token:
issuer: "docker-auth"
expiration: 86400
users:
"": {}
admin:
password: "$2y$05$***"
acl:
- match: { account: "admin", ip: "10.0.0.0/8" }
actions: ["*"]
comment: "Admin has full access to everything."
- match: { account: "", type: "registry", name: "catalog"}
actions: ["*"]
comment: "Anonymous user can query the registry"
- match: { account: "" }
actions: ["pull"]
comment: "Anonymous user can pull"
ingress:
enabled: true
hosts:
- registry.mydomain.org
path: /auth
annotations:
kubernetes.io/ingress.class: nginx-public
external-dns.alpha.kubernetes.io/hostname: registry.mydomain.org
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
tls:
- hosts:
- registry.mydomain.org
secret:
data:
server:
certificate: |
***
key: |
***
Hi @juan-ferrer-toribio, if you are using my Helm Chart, I don't remember supporting the token auth 🤔
I can add it if you need it