Docker repository anonymous access for current namespace

ado · September 2, 2019, 4:37am

Hello!

We have a private docker-repository in our Nexus and we have some private namespaces via content selectors.

Some developers want the next thing:

For example we have namespace /library that are “free for all”
We have private namespace, let’s say /coolteam/awesomproject/image
Some developers want to grab images from /library without any auth and use. Can we achieve this somehow?
If I’m enable “anonymous pull” in repository settings then it fairly ignores all private namespaces and developer can grab any image from any namespace because this option affects the whole repository. Can I somehow enable this option only for /library namespace for anonymous pull?(and use it without login to Nexus repo?)

I tried to create another private docker-repo and create a group with 2 hosted repo, but still when I trying to enable “anonymous pull” for the group it fairly ignores all private namespaces and user able to grab any image that he wants.

fcremer · September 3, 2019, 1:08pm

Hi!

When a user accesses Nexus without login in, they are actually accessing Nexus under the user ‘Anonymous’. This user is listed as a user and has the ‘nx-anonymous’ role associated to it. You could create your own custom role that uses content selectors and gives read-only access to those namespaces you wish to give everyone access. Then associate this custom role to the anonymous user, instead of the default one.

ado · September 4, 2019, 4:37am

Hi!

What I was try:
I have 2 content-selectors:

for blobs with path (format == “docker” and path =~ “/v2/|/v2/blobs/.|/v2/search/.”) because even anonymous user needs to access them to download layers
2)for library namespace with path (format == “docker” and path =^"/v2/library/") to access manifest and tags in this scope.

Next, I was creating 2 privileges based on that selectors with read,browse,edit rights. Then I created docker-anonyomous nexus role and include this priviliges to this role according with nx-repository-view---read and nx-repository-view---browse.

Then I was going to users section, selected anonymous and assigned this role to him.

After that I tried to pull image again and get next:
docker pull registry.mycompany.ru/library/awesome:latest Error response from daemon: Get registry.mycompany.ru/library/awesome:latest no basic auth credential

If I use docker login and try to pull from /library namespace - everything goes fine. So that means that docker-repository, nginx, upstreams and so on configured properly and my problem for now facing only some misconfiguration with new anonymous role. Am I missing something?

Version of docker is 19.03.1
Version of Nexus: 3.18.1-01
Docker bearer Realm enabled

In repository settings “Allow anonymous pull” = false, so the problem might be in that, I suppose. But if I enable that option there will be no “private” namespaces at all

PS: anonymous search works just fine and without issues.
docker search registry.mycompany.ru/library/someimage
NAME DESCRIPTION STARS OFFICIAL AUTOMATED docker search registry.mycompany.ru/library/someimage:latest 0

Update: despite that registry work via https I’ve tried to add it like insecure registry. Now error changes and now
Error response from daemon: EOF

Checked that I’m not logged into this registry.
docker logoutregistry.mycompany.ru
No credentials for this registry.

Also find this issue(https://issues.sonatype.org/browse/NEXUS-10813) and look at my nginx config again, it’s fine and have not proxy_set_header Authorization “” section.

So further investigation of logs tell me that under the hood it is still 401 error:
2019-09-04T12:54:40+03:00 1567590880.536 registry.mycompany.ru GET /v2/ - - someIPAdress docker/19.03.1 go/go1.12.5 git-commit/74b1e89 kernel/5.0.0-25-generic os/linux arch/amd64 UpstreamClient(Docker-Client/19.03.1 \x5C(linux\x5C)) - 401 0.004 244 - -

one more update: I was think that mistake can be in content-selector and docker for auth uses /v2 (we have checked that via Fiddler)
HTTP/1.1 401 Unauthorized Date: Wed, 04 Sep 2019 13:51:48 GMT Content-Type: application/json Content-Length: 113 Connection: close X-Content-Type-Options: nosniff Content-Security-Policy: sandbox allow-forms allow-modals allow-popups allow-presentation allow-scripts allow-top-navigation X-XSS-Protection: 1; mode=block WWW-Authenticate: BASIC realm="Sonatype Nexus Repository Manager" Docker-Distribution-Api-Version: registry/2.0 {"errors":[{"code":"UNAUTHORIZED","message":"access to the requested resource is not authorized","detail":null}]}

I have created one more selector only to access /v2(but in my first selector I have this in expression, but want to be sure that there are no any mistakes) namespace and assign it to a docker-anonymous role and then assign this role to anonymous user. Still no luck and the error is the same: no basic auth credentials from docker-client.

ado · September 5, 2019, 6:48am

And also I have disabled first content-selector with this expression (format == “docker” and path =~ “/v2/|/v2/blobs/. |/v2/search/. ”) - obviously docker search now don’t wort and returns 401 error.

That means that this selector is configured properly and allows access for /v2/, blobs and search API.

But still anonymous pull don’t work.
Also I tried to set anonymous user to use docker bearer realm instead of local auth realm.
But Fiddler still retunrs in output (I mean docker client) that he tries to use Basic auth to contact docker-registry.

mode=block WWW-Authenticate: BASIC realm="Sonatype Nexus Repository Manager" Docker-Distribution-Api-Version: registry/2.0 {"errors":[{"code":"UNAUTHORIZED","message":"access to the requested resource is not authorized","detail":null}]}

ado · September 9, 2019, 4:43am

Hello again.

Can you give me a hint where my mistake in configuration? Because for now I don’t realy understand where else to dig to make this thing work

I was thinking of reverse content-selection, for example: allow anonymous pull for all, but from some dedicated namespaces - restrict until login. But content-selector works a little other way

Will be glad for any assistance.

ado · September 16, 2019, 4:56am

I will up this topic one more time. Because our company needs to make a decesion about what type of docker-registry we will use. It will be cool to use Nexus because it can be 1 entrypoint for all packages of different types include docker-images for our CI.

Otherwise we will use Harbor for docker-images =[

fcremer · September 19, 2019, 2:09pm

Hi Ado,

I have not replied to your inquiries because I am not sure what could be causing the issue. Are you using the OSS or Pro version? If you had Pro I would recommend opening up a support ticket to help troubleshoot.

ado · September 20, 2019, 9:07am

No, we are using OSS version.

But still it looks like a bug if this feature must present or a feature request to implement.

ado · September 20, 2019, 11:24am

Hello once again.
For now this problem is solved and everything works properly. Sorry for inconvenience in my last post.

For those who experienced the same problems here a recipe to make this work properly and save some time:

In docker-repository settings you need to enable option for anonymous pull.
Next you need to create a Content-Selector with read rights to anonymously pull image from that namespace.
As example:
format == "docker" and path=~".*/library/.*"
Next you need to create your own privilege with read right based on that Content-Selector.
Now the most confusing part for me: you need to create your own anonymous custom role.
What was the main point of confusion for me: built-in anonymous role (nx-anonymous) contains next permissions:

nx-healthcheck-read
nx-repository-view---browse
nx-repository-view---read (that is the problem one)
nx-search-read
Here’s the deal: - nx-repository-view---read grants access for all namespaces of all repositories (wildcard makes big sense here) and fairly ignores all your private namespaces created by Content-Selectors for docker-repo. And with this built-in role anonymous user will be able to download any image from you docker repo.

So let’s fix that a little and create our Custom anonymous role, CompanyAnonymous will be it’s name. Then we will assign privileges for it:

nx-healthcheck-read
nx-repository-view---browse
nx-search-read
nx-repository-view-repositorytype-read (point is that you need to specify all your repotypes here one by one without including built-in read-permission with wildcard. So there are will be many repository-types excluding docker-repo)

Now you need to go to Users section, find built-in Anonymous user, exclude nx-anonymous role from it and assign your custom role to this user.
HAZZZZAAAAAAH everything works for now.

PS: As an idea - may be improve a little official documentation about Docker-repo with this point?

alex.fernandes · April 12, 2022, 12:17pm

I thank you for your detailed description that helped me configure my anonymous docker registry access, however I also had to change the Realm of anonymous access to make it work.

On /#admin/security/anonymous the realm named “Docker Bearer token” was not making it work, I had to switch to “Local Authenticating Realm”

Is it normal ?

I am running Sonatype Nexus Repository Manager - PRO 3.38.1-01

mmartz · April 12, 2022, 1:52pm

The anonymous user is the user that all non-logged in users have. It must be an actual user in the realm which means that you can’t ever use the Docker Bearer Token realm. I believe we have some changes coming in the next release that should remove realms that cannot be used for the anonymous user which should help prevent that mistake.