Hi!
What I was try:
I have 2 content-selectors:
- for blobs with path (format == “docker” and path =~ “/v2/|/v2/blobs/.|/v2/search/.”) because even anonymous user needs to access them to download layers
2)for library namespace with path (format == “docker” and path =^"/v2/library/") to access manifest and tags in this scope.
Next, I was creating 2 privileges based on that selectors with read,browse,edit rights. Then I created docker-anonyomous nexus role and include this priviliges to this role according with nx-repository-view---read and nx-repository-view---browse.
Then I was going to users section, selected anonymous and assigned this role to him.
After that I tried to pull image again and get next:
docker pull registry.mycompany.ru/library/awesome:latest Error response from daemon: Get registry.mycompany.ru/library/awesome:latest no basic auth credential
If I use docker login and try to pull from /library namespace - everything goes fine. So that means that docker-repository, nginx, upstreams and so on configured properly and my problem for now facing only some misconfiguration with new anonymous role. Am I missing something?
Version of docker is 19.03.1
Version of Nexus: 3.18.1-01
Docker bearer Realm enabled
In repository settings “Allow anonymous pull” = false, so the problem might be in that, I suppose. But if I enable that option there will be no “private” namespaces at all
PS: anonymous search works just fine and without issues.
docker search registry.mycompany.ru/library/someimage
NAME DESCRIPTION STARS OFFICIAL AUTOMATED docker search registry.mycompany.ru/library/someimage:latest 0
Update: despite that registry work via https I’ve tried to add it like insecure registry. Now error changes and now
Error response from daemon: EOF
Checked that I’m not logged into this registry.
docker logoutregistry.mycompany.ru
No credentials for this registry.
Also find this issue(https://issues.sonatype.org/browse/NEXUS-10813) and look at my nginx config again, it’s fine and have not proxy_set_header Authorization “” section.
So further investigation of logs tell me that under the hood it is still 401 error:
2019-09-04T12:54:40+03:00 1567590880.536 registry.mycompany.ru GET /v2/ - - someIPAdress docker/19.03.1 go/go1.12.5 git-commit/74b1e89 kernel/5.0.0-25-generic os/linux arch/amd64 UpstreamClient(Docker-Client/19.03.1 \x5C(linux\x5C)) - 401 0.004 244 - -
one more update: I was think that mistake can be in content-selector and docker for auth uses /v2 (we have checked that via Fiddler)
HTTP/1.1 401 Unauthorized Date: Wed, 04 Sep 2019 13:51:48 GMT Content-Type: application/json Content-Length: 113 Connection: close X-Content-Type-Options: nosniff Content-Security-Policy: sandbox allow-forms allow-modals allow-popups allow-presentation allow-scripts allow-top-navigation X-XSS-Protection: 1; mode=block WWW-Authenticate: BASIC realm="Sonatype Nexus Repository Manager" Docker-Distribution-Api-Version: registry/2.0 {"errors":[{"code":"UNAUTHORIZED","message":"access to the requested resource is not authorized","detail":null}]}
I have created one more selector only to access /v2(but in my first selector I have this in expression, but want to be sure that there are no any mistakes) namespace and assign it to a docker-anonymous role and then assign this role to anonymous user. Still no luck and the error is the same: no basic auth credentials from docker-client.