Private Registry and Read Only Users

[jjneely]

I have a private registry setup with docker-registry 0.7.3. I am testing with Docker 1.2.0. We use basic auth to keep it private for internal use. However, we also wanted to have read-only access for some of our automated processes. I did this by creating the following Apache 2.4 configuration.

<Location />
    AuthName "Docker Registry Login"
    AuthType Basic

    AuthUserFile "/etc/apache2/htpasswd.users"

    <RequireAll>
        Require valid-user
        # nagiosctl is a widely known secret
        Require not user nagiosctl
        <LimitExcept GET>
            # docker is our read-only user
            Require not user docker
        </LimitExcept>
    </RequireAll>
</Location>

In general, this works. Read/Write users can upload and pull images and our read-only user docker can pull and not push.

However, if someone does try a push operation authenticated as the docker user then the push command suddenly exists with an error code of 1.

$ sudo docker push docker.aws.42lines.net/jjneely/testing:latest
The push refers to a repository [docker.aws.42lines.net/jjneely/testing] (len: 1)
Sending image list
2014/08/27 10:51:11 $

Running the docker daemon in debug mode it clearly reports a 401 error from the server, but this never makes its way to a useful error message for the client. It would be great if the client would handle this with an appropriate error message.

[jessfraz]

ping @dmcgowan @jlhawn @dmp42

[dmp42]

Put otherwise: a v1 push that fails for authentication denied does not output a meaningful message to the user.

[thaJeztah]

related / dup of #11016?

[ghost]

Yes, this is the same behavior that I reported with #11016.

[thaJeztah]

@jfrazelle looks like dup, but perhaps you can decide. Also one is marked "black belt" and the other "white belt", which would be strange if they're indeed dup.