使用匿名提取访问权限设置私有Docker注册表
[英]Setup private docker registry with anonymous pull access
问题描述
I'd like to setup a docker registry that allows anonymous pulls but authenticates pushes. 
我想设置一个允许匿名拉取但对推送进行身份验证的docker注册表。
My naive approach was to allow get requests. 我天真的方法是允许获取请求。 But that seems to break the login as the client only creates the credentials if the initial Get request to /v2/ yields a 401. 但这似乎破坏了登录名,因为客户端仅在/ v2 /的初始Get请求产生401的情况下才创建凭据。
However also repository reads start with that so I cannot put this behind authentication either. 但是,存储库读取也从此开始,因此我也不能将其置于身份验证之后。
Basically it seems I'd have to distinguish between a ping before a pull and a ping before a login. 基本上,我似乎必须区分拉之前的ping和登录之前的ping。
I'm also happy to setup token authentication. 我也很高兴设置令牌认证。 But that would probably run into the same conundrum. 但这可能会遇到同样的难题。
1 个解决方案
解决方案1
0 已采纳 2017-03-29 09:53:51
Apparently the way to go is to set up token authentication. 显然,方法是设置令牌身份验证。
Then you can return a valid token for the scope pull even if no Basic Authentication was given. 然后,即使没有给出基本身份验证,也可以为范围拉取返回有效令牌。
You can find an example code on https://github.com/cloudfleet/floating-dock/blob/master/app/controllers/api/v1/jwt_controller.rb and https://github.com/cloudfleet/floating-dock/blob/master/app/services/auth/container_registry_authentication_service.rb 您可以在https://github.com/cloudfleet/floating-dock/blob/master/app/controllers/api/v1/jwt_controller.rb和https://github.com/cloudfleet/floating-dock上找到示例代码/blob/master/app/services/auth/container_registry_authentication_service.rb
It is an adapted version of GitLabs JWT implementation for the registry. 它是注册表的GitLabs JWT实现的改编版本。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.