nexus-public icon indicating copy to clipboard operation
nexus-public copied to clipboard

Published 20 hours ago verified publisher icon sonatype

Docker Bearer Token Anonymous Access Username

Open ls5302 opened this issue 1 year ago • 2 comments

Should the Docker Bearer Token work with any configure user for anonymous access, or does it require the username in anonymous access to be set to anonymous (the built in user).

What I have observer:

  • If I use the built in anonymous user all is well.
  • If I create a new user, e.g. foo, and give them nx-anonymous role I receive ‘authentication required’.
  • If I modify the anonymous user and change their role to only access certain repo all is good.

If changing the username in anonymous access can break anonymous docker access should we be able to change it?

I had brief look at the code and 'anonymous' does appear to be hardcoded in the BearerTokenRealm class.

ls5302 avatar Jan 08 '24 19:01 ls5302

The Docker CLI has this unfortunate behavior where it always tries to log in so, despite Repository having anonymous mode turned on, the CLI pre-emptively tries and fails authentication. To get around this, there's a setting on the repository level called "Allow docker anonymous pull" that will allow any credentials to pass login.

mrprescott avatar Jan 09 '24 20:01 mrprescott

Allow anonymous pull is ticked in the repo but only works with the build in Anonymous account - maybe not surprising as new user accounts cannot be created without a password.

ls5302 avatar Jan 10 '24 09:01 ls5302