Docker Registry and Basic Auth

Question

I have a simple Docker Registry running on a remote VM with Basic Auth set up for authentication. Before I started running the registry, I issued the following command (which I just shamelessly copy-and-pasted from those docs):

docker run --entrypoint htpasswd registry:2 -Bbn myuser 12345passwd > auth/htpasswd

This produced an auth/htpasswd file that contains the myuser entry and some kind of encrypted/encoded signature of the password I provided above. So this is obviously the file that the Registry will use for authenticating users.

Some concerns:

• How do I add new users to this file? Do I have to restart the registry container for the changes to take effect (I would hope not!)?
• How do I revoke users from this file, just a simple text edit? Again, what needs to happen for the changes to take effect?
• Is there a way to enforce authorization/roles (read/write access) here? I would hope that the registry allows for more than just one universal "you have unbridled access" role! Ideally I'd like to have fine grained access control over which users have read/write access to which containers/repos.

Answer 1

You can refer to the Apache htpasswd command (for instance htpasswd -D <username> would remove an account)

The docker run you did was to execute that command (overriding the default command of a registry image with --entrypoint), and add, update or remove users.

Note docker distribution (which produces docker registry 2.0) has discussions about role-based access (like issues 635):

Note that registry 2.1 will release with native basic auth, which might be sufficient. However, no role-based access control is provided. Adding ACL support is realistic with some careful thought and a PR.