CODEWITHSUNDEEP
authenticationdockerartifactory
user_mda
user_mda

Reputation: 19388

Anonymous pull on docker repo in artifactory

I am on artifactory version 4.6 and have the following requirement on the docker registry.

Allow anonymous pulls on docker repository Force authentication on the SAME docker repository

I know this is avaliable out of the box on the later versions of artifactory. However upgrading isnt an option for us for a while.

Does the following work around work?

  1. Create a virtual docker repository on port 8443 and don't force authentication , call it docker-virtual
  2. Create a local docker repository and force authentication, call it docker-local on port 8444

  3. Configure 'docker-virtual' with the default deployment directory as 'docker-local'

    docker pull docker-virtual should work docker push docker-virtual should ask for credentials

Upon failure , I should be able to docker login docker-virtual and docker push docker-virtual/myImage

Upvotes: 5

Views: 5228

Answers (3)

KCD
KCD

Reputation: 10281

No idea if this works with artifactory sorry.... you could try this handy project for docker registry auth.

Configure the registry to use this https://hub.docker.com/r/cesanta/docker_auth/ 

# registry config.yml
...
auth:
  token:
    # can be the same as your docker registry if you use nginx to proxy /auth to docker_auth
    # https://docs.docker.com/registry/recipes/nginx/
     realm: "example.com:5001/auth" 
     service: "Docker registry"
     issuer: "Docker Registry auth server"
     rootcertbundle: /certs/domain.crt

And allow anonymous with the corresponding ACL

# cesanta/docker_auth auth_config.yml
...

users:
  # Password is specified as a BCrypt hash. Use htpasswd -B to generate.
  "admin":
    password: "$2y$05$LO.vzwpWC5LZGqThvEfznu8qhb5SGqvBSWY1J3yZ4AxtMRZ3kN5jC"  # badmin
  "": {}  # Allow anonymous (no "docker login") access.


ldap_auth:
  # See: https://github.com/cesanta/docker_auth/blob/master/examples/ldap_auth.yml

acl:
  # See https://github.com/cesanta/docker_auth/blob/master/examples/reference.yml#L178
  - match: {account: "/.+/"}
    actions: ["*"]
    comment: "Logged in users do anything."
  - match: {account: ""}
    actions: ["pull"]
    comment: "Anonymous users can pull anything."
  # Access is denied by default.

Upvotes: 0

BMitch
BMitch

Reputation: 263597

Not sure about the artifactory side, but perhaps the following Docker advice helps.

You can start run two registries, one RW with authentication, and a second RO without any authentication, in Docker:

docker run -d -p 5000:5000 --restart=always --name registry \
  -v `pwd`/certs:/certs:ro \
  -v `pwd`/auth/htpasswd:/auth/htpasswd:ro \
  -v `pwd`/registry:/var/lib/registry \
  -e "REGISTRY_HTTP_TLS_CERTIFICATE=/certs/host-cert.pem" \
  -e "REGISTRY_HTTP_TLS_KEY=/certs/host-key.pem" \
  -e "REGISTRY_AUTH=htpasswd" \
  -e "REGISTRY_AUTH_HTPASSWD_REALM=My Registry" \
  -e "REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd" \
  -e "REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY=/var/lib/registry" \
  registry:2

docker run -d -p 5001:5000 --restart=always --name registry-ro \
  -v `pwd`/certs:/certs:ro \
  -v `pwd`/auth/htpasswd:/auth/htpasswd:ro \
  -v `pwd`/registry:/var/lib/registry:ro \
  -e "REGISTRY_HTTP_TLS_CERTIFICATE=/certs/host-cert.pem" \
  -e "REGISTRY_HTTP_TLS_KEY=/certs/host-key.pem" \
  -e "REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY=/var/lib/registry" \
  registry:2

Note the volume settings for /var/lib/registry in each container. Then to pull from the anonymous registry, you'd just need to change the port. Since the filesystem is RO, any attempt to push to 5001 will fail.

Upvotes: 4

JBaruch
JBaruch

Reputation: 22893

The closest thing you can achieve is failing on docker push without credentials (while succeeding with pull).

Upvotes: 1

Related Questions