docker-registry-ui icon indicating copy to clipboard operation
docker-registry-ui copied to clipboard

Published 20 hours ago verified publisher icon atcol

pass the Authentication data from header

Open xujinzheng opened this issue 10 years ago • 3 comments

We could pass the Authentication from headers, so it could integration better with nginx and LDAP, and the username & password could leave it empty while Authentication header is not empty. And btw, I think it is better to hide password in web UI.

xujinzheng avatar Jun 07 '15 16:06 xujinzheng

Are you using the latest version? The password has been hidden in the registry list. Where are you referring to?

As for authentication headers: how do you see it working? Add the headers to the registry's configuration and then the tool automatically pass that to the registry for each request?

atcol avatar Jun 07 '15 18:06 atcol

I use docker-registry-ui from docker-image, I pull it the day before yesterday.

I will configure the docker-registry-ui behind nginx, and add ldap_auth to nginx server, when I request the web of docker-registry-ui, it will prompt me to input UserName and Password, then the each request have the Authentication Header, so docker-registry-ui could get the header from request and pass it to docker-registry while send a request.

nginx location of registry location:


    location / {
        auth_ldap "Forbidden";
        auth_ldap_servers ldap_server;
        proxy_pass http://registry;
    }

    location ~* /v1/repositories/(?<namespace>([^/]*))/ {
        limit_except GET {
           auth_ldap "Forbidden";
           auth_ldap_servers ldap_server;
        }

        set $deny_write_request "";
        if ($request_method = PUT) {
              set $deny_write_request "W";
        }
        if ($request_method = DELETE) {
              set $deny_write_request "W";
        }
        if ($remote_user != $namespace) {
              set $deny_write_request "${deny_write_request}A";
        }
        if ($deny_write_request = 'WA') {
              return 401;
        }

        proxy_pass http://registry;
    }  

    location ~* /v1/images/(.*?)/json {
        limit_except GET {
           auth_ldap "Forbidden";
           auth_ldap_servers ldap_server;
        }

        proxy_pass http://registry;
    }

and we could add following directives to location block

proxy_set_header Authorization $http_authorization;
proxy_pass_header  Authorization;

if we get Authentication data, then we will get username, so will could control the permission by ldap user group, and user could only edit the images by themselves.

xujinzheng avatar Jun 08 '15 02:06 xujinzheng

@xujinzheng your idea is interesting , Any progress about your idea ?

my registry works behind nginx with password authentication, if I link registry container to docker-registry-ui, it will be a back door, any one who gets the docker-registry-ui url , he / she can delete the images tag.

So I would like to enable password authentication for docker-registry-ui.

afengisme avatar Jun 19 '15 02:06 afengisme