Understanding authenticatino process

masber · September 16, 2022, 9:59am

I have a sonatype nexus deployment with keycloak as identify provider. I can login and have admin access to nexus.

However I can’t push a container image:

ctr images push -u <my keycloak username>:<my keycloak password> registry.local/cray/k8s.gcr.io/pause:3.1
manifest-sha256:759c3f0f6493093a9043cc813092290af69029699ade0e3dbe024e968fcb7cca: done           |++++++++++++++++++++++++++++++++++++++| 
layer-sha256:cf92024299791de93ad205151ab24e535c218bbea6465fd8f79c2611db913a50:    done           |++++++++++++++++++++++++++++++++++++++| 
config-sha256:da86e6ba6ca197bf6bc5e9d900febd906b133eaa4750e6bed647b0fbe50ed43e:   done           |++++++++++++++++++++++++++++++++++++++| 
elapsed: 0.1 s                                                                    total:  527.0  (5.1 KiB/s)                                       
ctr: failed commit on ref "manifest-sha256:759c3f0f6493093a9043cc813092290af69029699ade0e3dbe024e968fcb7cca": unexpected status: 401 Unauthorized

Any idea how to solve this?

thank you

mmartz · September 16, 2022, 1:32pm

You won’t be able to use SAML to login via command-line tooling. The standard solution to this problem is to use user tokens, but that is a Nexus Repository Pro feature (Security Setup with User Tokens). Other security solutions like LDAP will work in the way you expect, but a SAML server is completely disconnected from Nexus Repository. It requires a browser redirect to authenticate.

jeff.wise · September 16, 2022, 4:27pm

We use a local realm account to upload container images to NXRM via our continuous integration service. Developers are not allowed to upload from their laptops directly. User logins to the NXRM portal are protected with SAML.