Unable to connect to registry with token auth
Crocmagnon opened this issue Β· comments
Hi,
I'm unable to connect to my registry using either the static option with URL
, with REGISTRY_URL
or the dynamic one.
I'm always getting a "toast" with the response from the server:
{
"errors": [
{
"code": "UNAUTHORIZED",
"message": "authentication required",
"detail": null
}
]
}
Things to note:
- Both run inside a company network, not accessible from the internet
- The registry works fine with authentication. I can
docker login stable.registry.example.com
without any issue. - I tried to use the demo version, it didn't work either. I got an error saying to check my connectivity and set the Access-Control-Allow-Origin header to
https://joxit.github.com
(which I did). - Both services are served through Traefik, which handles the routing and the TLS part.
Here's my docker-compose.yml
version: '3.5'
services:
ui:
image: joxit/docker-registry-ui:static
environment:
#- URL=https://stable.registry.example.com
- REGISTRY_URL=http://registry:5000
networks:
- traefik-net
deploy:
placement:
constraints:
- node.role == worker
- node.platform.os == linux
update_config:
order: start-first
labels:
- "traefik.port=80"
- "traefik.docker.network=traefik-net"
- "traefik.enable=true"
- "traefik.frontend.rule=Host:ui.registry.example.com"
- "traefik.backend.loadbalancer.stickiness=true"
- "traefik.backend.loadbalancer.method=drr"
registry:
image: registry:2
networks:
- traefik-net
volumes:
- /mnt/registry:/var/lib/registry
env_file: env.env # The env file only contains the HTTP secret key
deploy:
placement:
constraints:
- node.role == worker
- node.platform.os == linux
- node.labels.registry == true
update_config:
order: start-first
labels:
- "traefik.port=5000"
- "traefik.docker.network=traefik-net"
- "traefik.enable=true"
- "traefik.frontend.rule=Host:edge.registry.example.com,stable.registry.example.com"
- "traefik.backend.loadbalancer.stickiness=true"
- "traefik.backend.loadbalancer.method=drr"
configs:
- source: docker_auth.pem
target: /docker_auth.pem
- source: registry_config.yml
target: /etc/docker/registry/config.yml
networks:
traefik-net:
external: true
configs:
docker_auth.pem:
file: ./docker_auth.pem
registry_config.yml:
file: ./registry_config.yml
name: registry_config_v${REGISTRY_CONFIG_VERSION}.yml
and my registry_config.yml
version: 0.1
log:
fields:
service: registry
storage:
delete:
enabled: true
cache:
blobdescriptor: inmemory
filesystem:
rootdirectory: /var/lib/registry
http:
addr: :5000
headers:
X-Content-Type-Options: [nosniff]
Access-Control-Allow-Origin: ['https://ui.registry.example.com']
Access-Control-Allow-Methods: ['HEAD', 'GET', 'OPTIONS', 'DELETE']
Access-Control-Allow-Headers: ['Authorization']
Access-Control-Max-Age: [1728000]
Access-Control-Allow-Credentials: [true]
Access-Control-Expose-Headers: ['Docker-Content-Digest']
health:
storagedriver:
enabled: true
interval: 10s
threshold: 3
auth:
token:
rootcertbundle: /docker_auth.pem
realm: "https://stable.docker-auth.example.com/auth"
service: "Docker registry"
issuer: "example docker auth server"
Hello, thank you for your issue.
I'm sorry but the UI can only use basic authentication and not authentication by token π
auth:
htpasswd:
realm: basic-realm
path: /etc/docker/registry/htpasswd
Maybe one day this will be available.
Basic auth can be a security issue sometimes (when you use it with docker login).
I suggest you connect to your registry with token and have a basic-auth connection for the UI only with restricted rights (only GET/OPTION/HEADER methods on /v2/
, ).
I hope this will help you
Thanks for your answer
Sadly that's a no-go for us as we need LDAP auth. Do you happen to know of a web UI that would allow to use token auth with an external provider ? I saw https://hub.docker.com/r/hyper/docker-registry-web/ but it seems to include the authentication server and it's too complex for our use case.
I also suggest to edit the readme in order to reflect the fact that only basic auth is supported and make it explicit that token auth is not π
You are welcome.
Sorry but I don't know any other alternatives to do it π good luck to find what you are looking for.
@Joxit Hello, following this issue, I guess token based authentification is still not supported. You said previously that we can set the "basic-auth connection for the UI only with restricted rights (only GET/OPTION/HEADER"
My question is how to set these options "GET/OPTION/HEADER" with a joxit/docker-registry-ui:static
image?
BR.
@Joxit
Using those can i do both, the token auth to registry and basic-auth to ui?
If so, can you please specify how?
thanks allot.
Thanks for your answer
βΊοΈ
Sadly that's a no-go for us as we need LDAP auth. Do you happen to know of a web UI that would allow to use token auth with an external provider ? I saw https://hub.docker.com/r/hyper/docker-registry-web/ but it seems to include the authentication server and it's too complex for our use case.I also suggest to edit the readme in order to reflect the fact that only basic auth is supported and make it explicit that token auth is not π
@Crocmagnon
Did you find any solution?
Did you find any solution?
@vitalybrandes sorry, I left this job more than two years ago and I can't remember what we ended up with. Also, the landscape must have changed a lot since then π
Hi there, in 2.0.0 token auth will be avalable via keycloak/docker token auth v2 protocol π checkout #167 and the new example https://github.com/Joxit/docker-registry-ui/tree/main/examples/token-auth-keycloak