Docker Registry allowing unauthenticated to pull

Globally i allow anonymous access, on the docker registry i have anonymous access disabled, yet users are able to pull images without logging in first.

I edited the default anonymous role and manually granted read/browse access to all the repo’s i wanted it to access and excluded the container registry’s that i don’t. This did solve my issue, it seems really backwards that a global setting like that overrides the repository anonymous configuration.

This is as described in the documentation - Docker Authentication

Maybe i’m reading that documentation wrong but

By default when using Nexus Repository Manager, all docker repositories require authentication to be read from using the command line tools regardless of any permissions granted by the [Anonymous](Anonymous Access) user (if enabled) or, in the case of proxy repositories, the remotes’ settings. For Docker in NXRM, this can be bypassed on a per repository basis by editing the repository settings and enabling the Allow anonymous docker pull checkbox under the Repository Connectors section shown at the bottom of Figure: “Repository Connectors Configuration including Allow anonymous docker pull” .

I have the global anonymous user enabled with the default read&browse access to all repositories, and i have the anonymous user disabled on my container registry.

Command line tools are still able to pull from my registry without being authenticated.