Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-20510

Proxy repo to gcr.io with authentication not working

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Cannot Reproduce
    • Affects Version/s: 3.17.0
    • Fix Version/s: 3.23.0
    • Component/s: Docker
    • Labels:
    • Environment:
      RHEL 7

      Description

      We want to create a proxy repository to "gcr.io" with authentication so we can download specific Docker images from our vendor. Our Nexus version is OSS 3.17.0-01.

      So I created a simple Proxy Repository with:

      • Remote Storage: https://gcr.io
      • Authentication type: Username
        • Username: _json_key
        • Password: <the JSON payload we received from our vendor>

      If I try to pull an image from this private registry, it cannot be downloaded. I increased logging and got this output:

      "CONNECT gcr.io:443 HTTP/1.1[\r][\n]"
      "CONNECT gcr.io:443 HTTP/1.1[\r][\n]"
      "Host: gcr.io[\r][\n]"
      "Host: gcr.io[\r][\n]"
      "User-Agent: Nexus/3.17.0-01 (OSS; Linux; 3.10.0-957.21.3.el7.x86_64; amd64; 1.8.0_201) [\r][\n]"
      "User-Agent: Nexus/3.17.0-01 (OSS; Linux; 3.10.0-957.21.3.el7.x86_64; amd64; 1.8.0_201) [\r][\n]"
      "CONNECT gcr.io:443 HTTP/1.1[\r][\n]"
      "Host: gcr.io[\r][\n]"
      "User-Agent: Nexus/3.17.0-01 (OSS; Linux; 3.10.0-957.21.3.el7.x86_64; amd64; 1.8.0_201) [\r][\n]"
      "CONNECT gcr.io:443 HTTP/1.1[\r][\n]"
      "Host: gcr.io[\r][\n]"
      "User-Agent: Nexus/3.17.0-01 (OSS; Linux; 3.10.0-957.21.3.el7.x86_64; amd64; 1.8.0_201) [\r][\n]"
      "HTTP/1.0 200 Connection established[\r][\n]"
      "HTTP/1.0 200 Connection established[\r][\n]"
      "HTTP/1.0 200 Connection established[\r][\n]"
      "GET /v2/vendor/product/blobs/sha256:f7f9ade9224fbb2cfa125d4227fc7d73c4bc43838910e53dd7a5917ccab8a662 HTTP/1.1[\r][\n]"
      "Host: gcr.io[\r][\n]"
      "Connection: Keep-Alive[\r][\n]"
      "User-Agent: Nexus/3.17.0-01 (OSS; Linux; 3.10.0-957.21.3.el7.x86_64; amd64; 1.8.0_201) [\r][\n]"
      "Accept-Encoding: gzip,deflate[\r][\n]"
      "HTTP/1.0 200 Connection established[\r][\n]"
      "GET /v2/vendor/product/blobs/sha256:52a9ae58a13c23981293a8aa832e726791724849631acef353cc40e2018c419a HTTP/1.1[\r][\n]"
      "Host: gcr.io[\r][\n]"
      "Connection: Keep-Alive[\r][\n]"
      "User-Agent: Nexus/3.17.0-01 (OSS; Linux; 3.10.0-957.21.3.el7.x86_64; amd64; 1.8.0_201) [\r][\n]"
      "Accept-Encoding: gzip,deflate[\r][\n]"
      "GET /v2/vendor/product/blobs/sha256:0b8010d5f221031d0a2f6754e19e846d04aa99634332b46c9d25e0a6b34077de HTTP/1.1[\r][\n]"
      "Host: gcr.io[\r][\n]"
      "Connection: Keep-Alive[\r][\n]"
      "User-Agent: Nexus/3.17.0-01 (OSS; Linux; 3.10.0-957.21.3.el7.x86_64; amd64; 1.8.0_201) [\r][\n]"
      "Accept-Encoding: gzip,deflate[\r][\n]"
      "GET /v2/vendor/product/blobs/sha256:2f3a20f84f23372e783c760bec233200666310f5a4bdc16c3b21e12e7f0d36a7 HTTP/1.1[\r][\n]"
      "Host: gcr.io[\r][\n]"
      "Connection: Keep-Alive[\r][\n]"
      "User-Agent: Nexus/3.17.0-01 (OSS; Linux; 3.10.0-957.21.3.el7.x86_64; amd64; 1.8.0_201) [\r][\n]"
      "Accept-Encoding: gzip,deflate[\r][\n]"
      "HTTP/1.1 302 Found[\r][\n]"
      "Docker-Distribution-API-Version: registry/2.0[\r][\n]"
      "Location: https://storage.googleapis.com/artifacts.vendor.com/containers/images/sha256:f7f9ade9224fbb2cfa125d4227fc7d73c4bc43838910e53dd7a5917ccab8a662[\r][\n]"
      "Content-Type: application/json[\r][\n]"
      "Content-Encoding: gzip[\r][\n]"
      "Date: Thu, 18 Jul 2019 13:13:54 GMT[\r][\n]"
      "Server: Docker Registry[\r][\n]"
      "Cache-Control: private[\r][\n]"
      "X-XSS-Protection: 0[\r][\n]"
      "X-Frame-Options: SAMEORIGIN[\r][\n]"
      "Alt-Svc: quic=":443"; ma=2592000; v="46,43,39"[\r][\n]"
      "Transfer-Encoding: chunked[\r][\n]"
      "CONNECT storage.googleapis.com:443 HTTP/1.1[\r][\n]"
      "Host: storage.googleapis.com[\r][\n]"
      "User-Agent: Nexus/3.17.0-01 (OSS; Linux; 3.10.0-957.21.3.el7.x86_64; amd64; 1.8.0_201) [\r][\n]"
      "HTTP/1.1 302 Found[\r][\n]"
      "Docker-Distribution-API-Version: registry/2.0[\r][\n]"
      "Location: https://storage.googleapis.com/artifacts.vendor.com/containers/images/sha256:52a9ae58a13c23981293a8aa832e726791724849631acef353cc40e2018c419a[\r][\n]"
      "Content-Type: application/json[\r][\n]"
      "Content-Encoding: gzip[\r][\n]"
      "Date: Thu, 18 Jul 2019 13:13:54 GMT[\r][\n]"
      "Server: Docker Registry[\r][\n]"
      "Cache-Control: private[\r][\n]"
      "X-XSS-Protection: 0[\r][\n]"
      "X-Frame-Options: SAMEORIGIN[\r][\n]"
      "Alt-Svc: quic=":443"; ma=2592000; v="46,43,39"[\r][\n]"
      "Transfer-Encoding: chunked[\r][\n]"
      "CONNECT storage.googleapis.com:443 HTTP/1.1[\r][\n]"
      "Host: storage.googleapis.com[\r][\n]"
      "User-Agent: Nexus/3.17.0-01 (OSS; Linux; 3.10.0-957.21.3.el7.x86_64; amd64; 1.8.0_201) [\r][\n]"
      "HTTP/1.0 200 Connection established[\r][\n]"
      "HTTP/1.0 200 Connection established[\r][\n]"
      "HTTP/1.1 302 Found[\r][\n]"
      "Docker-Distribution-API-Version: registry/2.0[\r][\n]"
      "Location: https://storage.googleapis.com/artifacts.vendor.com/containers/images/sha256:0b8010d5f221031d0a2f6754e19e846d04aa99634332b46c9d25e0a6b34077de[\r][\n]"
      "Content-Type: application/json[\r][\n]"
      "Content-Encoding: gzip[\r][\n]"
      "Date: Thu, 18 Jul 2019 13:13:54 GMT[\r][\n]"
      "Server: Docker Registry[\r][\n]"
      "Cache-Control: private[\r][\n]"
      "X-XSS-Protection: 0[\r][\n]"
      "X-Frame-Options: SAMEORIGIN[\r][\n]"
      "Alt-Svc: quic=":443"; ma=2592000; v="46,43,39"[\r][\n]"
      "Transfer-Encoding: chunked[\r][\n]"
      "CONNECT storage.googleapis.com:443 HTTP/1.1[\r][\n]"
      "Host: storage.googleapis.com[\r][\n]"
      "User-Agent: Nexus/3.17.0-01 (OSS; Linux; 3.10.0-957.21.3.el7.x86_64; amd64; 1.8.0_201) [\r][\n]"
      "HTTP/1.1 302 Found[\r][\n]"
      "Docker-Distribution-API-Version: registry/2.0[\r][\n]"
      "Location: https://storage.googleapis.com/artifacts.vendor.com/containers/images/sha256:2f3a20f84f23372e783c760bec233200666310f5a4bdc16c3b21e12e7f0d36a7[\r][\n]"
      "Content-Type: application/json[\r][\n]"
      "Content-Encoding: gzip[\r][\n]"
      "Date: Thu, 18 Jul 2019 13:13:54 GMT[\r][\n]"
      "Server: Docker Registry[\r][\n]"
      "Cache-Control: private[\r][\n]"
      "X-XSS-Protection: 0[\r][\n]"
      "X-Frame-Options: SAMEORIGIN[\r][\n]"
      "Alt-Svc: quic=":443"; ma=2592000; v="46,43,39"[\r][\n]"
      "Transfer-Encoding: chunked[\r][\n]"
      "CONNECT storage.googleapis.com:443 HTTP/1.1[\r][\n]"
      "Host: storage.googleapis.com[\r][\n]"
      "User-Agent: Nexus/3.17.0-01 (OSS; Linux; 3.10.0-957.21.3.el7.x86_64; amd64; 1.8.0_201) [\r][\n]"
      "HTTP/1.0 200 Connection established[\r][\n]"
      "HTTP/1.0 200 Connection established[\r][\n]"
      "GET /artifacts.vendor.com/containers/images/sha256:52a9ae58a13c23981293a8aa832e726791724849631acef353cc40e2018c419a HTTP/1.1[\r][\n]"
      "Host: storage.googleapis.com[\r][\n]"
      "Connection: Keep-Alive[\r][\n]"
      "User-Agent: Nexus/3.17.0-01 (OSS; Linux; 3.10.0-957.21.3.el7.x86_64; amd64; 1.8.0_201) [\r][\n]"
      "Accept-Encoding: gzip,deflate[\r][\n]"
      "GET /artifacts.vendor.com/containers/images/sha256:f7f9ade9224fbb2cfa125d4227fc7d73c4bc43838910e53dd7a5917ccab8a662 HTTP/1.1[\r][\n]"
      "Host: storage.googleapis.com[\r][\n]"
      "Connection: Keep-Alive[\r][\n]"
      "User-Agent: Nexus/3.17.0-01 (OSS; Linux; 3.10.0-957.21.3.el7.x86_64; amd64; 1.8.0_201) [\r][\n]"
      "Accept-Encoding: gzip,deflate[\r][\n]"
      "GET /artifacts.vendor.com/containers/images/sha256:2f3a20f84f23372e783c760bec233200666310f5a4bdc16c3b21e12e7f0d36a7 HTTP/1.1[\r][\n]"
      "Host: storage.googleapis.com[\r][\n]"
      "Connection: Keep-Alive[\r][\n]"
      "User-Agent: Nexus/3.17.0-01 (OSS; Linux; 3.10.0-957.21.3.el7.x86_64; amd64; 1.8.0_201) [\r][\n]"
      "Accept-Encoding: gzip,deflate[\r][\n]"
      "GET /artifacts.vendor.com/containers/images/sha256:0b8010d5f221031d0a2f6754e19e846d04aa99634332b46c9d25e0a6b34077de HTTP/1.1[\r][\n]"
      "Host: storage.googleapis.com[\r][\n]"
      "Connection: Keep-Alive[\r][\n]"
      "User-Agent: Nexus/3.17.0-01 (OSS; Linux; 3.10.0-957.21.3.el7.x86_64; amd64; 1.8.0_201) [\r][\n]"
      "Accept-Encoding: gzip,deflate[\r][\n]"
      "HTTP/1.1 403 Forbidden[\r][\n]"
      "Date: Thu, 18 Jul 2019 13:13:55 GMT[\r][\n]"
      "Server: UploadServer[\r][\n]"
      "Alt-Svc: quic=":443"; ma=2592000; v="46,43,39"[\r][\n]"
      "Expires: Thu, 18 Jul 2019 13:13:55 GMT[\r][\n]"
      "Connection: Keep-Alive[\r][\n]"
      "Content-Type: application/xml; charset=UTF-8[\r][\n]"
      "Cache-Control: private, max-age=0[\r][\n]"
      "Content-Length: 317[\r][\n]"
      "X-GUploader-UploadID: foo[\r][\n]"
      "<?xml version='1.0' encoding='UTF-8'?><Error><Code>AccessDenied</Code><Message>Access denied.</Message><Details>Anonymous caller does not have storage.objects.get access to artifacts.vendor.com/containers/images/sha256:0b8010d5f221031d0a2f6754e19e846d04aa99634332b46c9d25e0a6b34077de.</Details></Error>"
      "HTTP/1.1 403 Forbidden[\r][\n]"
      "Date: Thu, 18 Jul 2019 13:13:55 GMT[\r][\n]"
      "Server: UploadServer[\r][\n]"
      "Alt-Svc: quic=":443"; ma=2592000; v="46,43,39"[\r][\n]"
      "Expires: Thu, 18 Jul 2019 13:13:55 GMT[\r][\n]"
      DockerProxyFacetImpl - Could not parse error response Unexpected character ('<' (code 60)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')
      "Connection: Keep-Alive[\r][\n]"
      "Content-Type: application/xml; charset=UTF-8[\r][\n]"
      "Cache-Control: private, max-age=0[\r][\n]"
      "Content-Length: 317[\r][\n]"
      "X-GUploader-UploadID: foo[\r][\n]"
      "<?xml version='1.0' encoding='UTF-8'?><Error><Code>AccessDenied</Code><Message>Access denied.</Message><Details>Anonymous caller does not have storage.objects.get access to artifacts.vendor.com/containers/images/sha256:f7f9ade9224fbb2cfa125d4227fc7d73c4bc43838910e53dd7a5917ccab8a662.</Details></Error>"
      org.sonatype.nexus.repository.docker.internal.V2Handlers - Error: GET /v2/vendor/product/blobs/sha256:0b8010d5f221031d0a2f6754e19e846d04aa99634332b46c9d25e0a6b34077de: 403 - org.sonatype.nexus.repository.docker.internal.V2Exception: access to the requested resource is not authorized
      

      So there is a connection to gcr.io established and authorized. Then a redirect to storage.googleapis.com happens and then I get a "403 Forbidden". So it seems that Nexus does not correctly hand over the credentials to the redirect.

      Does anyone have an idea, how to fix this? Thank you in advance for any hints.

       

      /Edit for clarification:
      If I use the same credentials from the command line and log in via "docker login gcr.io...." it works just fine. Only via Nexus proxy repo it does not work.

        Attachments

          Activity

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            tim-tk Tim
            Last Updated By:
            Peter Lynch Peter Lynch
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:
              Date of First Response:

                tigCommentSecurity.panel-title