Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

When Admin user is not enabled Repositories are not searchable. #40

Closed
markarnott opened this issue Apr 21, 2017 · 4 comments
Closed

When Admin user is not enabled Repositories are not searchable. #40

markarnott opened this issue Apr 21, 2017 · 4 comments
Assignees
@ankurkhemani
Labels
AAD question

Comments

@markarnott
Copy link

We setup a registry and configured service principals to push and pull images, but we cannot find a way to list what images are in the repository.

When attempting to view repositories in the azure portal we see this message:
Admin user is not enabled. Enable admin user in Access keys blade to view repositories.

We tried from the docker CLI like this.
docker login reg.azurecr.io
docker search reg.azurecr.io

and we always receive this message:
Error response from daemon: Unexpected status code 404

Your blog post on ACR user accounts indicates that the Admin User is a temporary approach that will go away in the future. Are we correct in assuming that enabling the Admin User is currently the only way to view what images are in the registry?
@djyou
Copy link
Member

djyou commented Apr 21, 2017
edited
Loading

Service principal credentials are not retrievable so there is no way to authenticate with the registry in the portal if admin user is not enabled, thus you were seeing the message.

docker search is not a supported Docker V2 API, thus you were seeing the error. It is not related to whether admin user is enabled or not.

If you only use service principal to authenticate, one way to list images is to use the Azure CLI:

az acr repository list -n <your registry name>

And enter your service principal app id and password in the prompt. Or provide them as command arguments:

az acr repository list -n <your registry name> -u <your service principal app id> -p <your service principal password>

@markarnott
Copy link
Author

The question has been answered. But this is a usability issue. It really makes no sense that I can log in to the azure portal as a user that has 'owner' access rights to the ACR instance, but I can't list that registry's images.

I live in a world that is very sensitive to security issues. By not allowing AD User Principals to list the registry images you have limited our ability to audit who did what. We aren't going to create a different service principal for every user - that defeats the whole point of a service principal. For ACR this is a minor issue because no data will ever get saved in these images. It is just confusing because ACR doesn't behave like other Azure services.

@sajayantony
Copy link
Contributor

@markarnott - AAD integration #32 is something we are definitely implementing. We understand the issues related to SP creation and maintaining them from a security perspective and once AAD is integrated with ACR, you should be able to managed users directly on the registry resource as you would with any other Azure resource.
/cc @DavidObando

@sajayantony
Copy link
Contributor

This is now available on the portal.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ankurkhemani ankurkhemani

Labels
AAD question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@markarnott @sajayantony @ankurkhemani @djyou