Docker repository anonymous access for current namespace

Hello!

We have a private docker-repository in our Nexus and we have some private namespaces via content selectors.

Some developers want the next thing:

  1. For example we have namespace /library that are “free for all”
  2. We have private namespace, let’s say /coolteam/awesomproject/image
  3. Some developers want to grab images from /library without any auth and use. Can we achieve this somehow?
    If I’m enable “anonymous pull” in repository settings then it fairly ignores all private namespaces and developer can grab any image from any namespace because this option affects the whole repository. Can I somehow enable this option only for /library namespace for anonymous pull?(and use it without login to Nexus repo?)

I tried to create another private docker-repo and create a group with 2 hosted repo, but still when I trying to enable “anonymous pull” for the group it fairly ignores all private namespaces and user able to grab any image that he wants.

Hi!

When a user accesses Nexus without login in, they are actually accessing Nexus under the user ‘Anonymous’. This user is listed as a user and has the ‘nx-anonymous’ role associated to it. You could create your own custom role that uses content selectors and gives read-only access to those namespaces you wish to give everyone access. Then associate this custom role to the anonymous user, instead of the default one.

Hi!

What I was try:
I have 2 content-selectors:

  1. for blobs with path (format == “docker” and path =~ “/v2/|/v2/blobs/.|/v2/search/.”) because even anonymous user needs to access them to download layers
    2)for library namespace with path (format == “docker” and path =^"/v2/library/") to access manifest and tags in this scope.

Next, I was creating 2 privileges based on that selectors with read,browse,edit rights. Then I created docker-anonyomous nexus role and include this priviliges to this role according with nx-repository-view---read and nx-repository-view---browse.

Then I was going to users section, selected anonymous and assigned this role to him.

After that I tried to pull image again and get next:
docker pull registry.mycompany.ru/library/awesome:latest Error response from daemon: Get registry.mycompany.ru/library/awesome:latest no basic auth credential

If I use docker login and try to pull from /library namespace - everything goes fine. So that means that docker-repository, nginx, upstreams and so on configured properly and my problem for now facing only some misconfiguration with new anonymous role. Am I missing something?

Version of docker is 19.03.1
Version of Nexus: 3.18.1-01
Docker bearer Realm enabled

In repository settings “Allow anonymous pull” = false, so the problem might be in that, I suppose. But if I enable that option there will be no “private” namespaces at all :slight_smile:

PS: anonymous search works just fine and without issues.
docker search registry.mycompany.ru/library/someimage
NAME DESCRIPTION STARS OFFICIAL AUTOMATED docker search registry.mycompany.ru/library/someimage:latest 0

Update: despite that registry work via https I’ve tried to add it like insecure registry. Now error changes and now
Error response from daemon: EOF

Checked that I’m not logged into this registry.
docker logoutregistry.mycompany.ru
No credentials for this registry.

Also find this issue(https://issues.sonatype.org/browse/NEXUS-10813) and look at my nginx config again, it’s fine and have not proxy_set_header Authorization “” section.

So further investigation of logs tell me that under the hood it is still 401 error:
2019-09-04T12:54:40+03:00 1567590880.536 registry.mycompany.ru GET /v2/ - - someIPAdress docker/19.03.1 go/go1.12.5 git-commit/74b1e89 kernel/5.0.0-25-generic os/linux arch/amd64 UpstreamClient(Docker-Client/19.03.1 \x5C(linux\x5C)) - 401 0.004 244 - -

one more update: I was think that mistake can be in content-selector and docker for auth uses /v2 (we have checked that via Fiddler)
HTTP/1.1 401 Unauthorized Date: Wed, 04 Sep 2019 13:51:48 GMT Content-Type: application/json Content-Length: 113 Connection: close X-Content-Type-Options: nosniff Content-Security-Policy: sandbox allow-forms allow-modals allow-popups allow-presentation allow-scripts allow-top-navigation X-XSS-Protection: 1; mode=block WWW-Authenticate: BASIC realm="Sonatype Nexus Repository Manager" Docker-Distribution-Api-Version: registry/2.0 {"errors":[{"code":"UNAUTHORIZED","message":"access to the requested resource is not authorized","detail":null}]}

I have created one more selector only to access /v2(but in my first selector I have this in expression, but want to be sure that there are no any mistakes) namespace and assign it to a docker-anonymous role and then assign this role to anonymous user. Still no luck and the error is the same: no basic auth credentials from docker-client.

And also I have disabled first content-selector with this expression (format == “docker” and path =~ “/v2/|/v2/blobs/. |/v2/search/. ”) - obviously docker search now don’t wort and returns 401 error.

That means that this selector is configured properly and allows access for /v2/, blobs and search API.

But still anonymous pull don’t work.
Also I tried to set anonymous user to use docker bearer realm instead of local auth realm.
But Fiddler still retunrs in output (I mean docker client) that he tries to use Basic auth to contact docker-registry.

mode=block WWW-Authenticate: BASIC realm="Sonatype Nexus Repository Manager" Docker-Distribution-Api-Version: registry/2.0 {"errors":[{"code":"UNAUTHORIZED","message":"access to the requested resource is not authorized","detail":null}]}

Hello again.

Can you give me a hint where my mistake in configuration? Because for now I don’t realy understand where else to dig to make this thing work :frowning:

I was thinking of reverse content-selection, for example: allow anonymous pull for all, but from some dedicated namespaces - restrict until login. But content-selector works a little other way :slight_smile:

Will be glad for any assistance.

I will up this topic one more time. Because our company needs to make a decesion about what type of docker-registry we will use. It will be cool to use Nexus because it can be 1 entrypoint for all packages of different types include docker-images for our CI.

Otherwise we will use Harbor for docker-images =[