Details
Description
- Set up a docker proxy repository with remote of https://registry.connect.redhat.com.
- Configure valid redhat login credentials in the http options
- Make a request for /v2/tuommaki/helloworld/manifests/latest to the proxy:
https://localhost:8081/repositry/docker-connnect-redhat/v2/tuommaki/helloworld/manifests/latest
The request thread will never return.
Analysis shows the request is made to the remote:
https://registry.connect.redhat.com/v2/tuommaki/helloworld/manifests/latest
This gets a WWW-Authenticate response with a URL to retrieve a bearer token:
2020-03-31 11:00:24,569-0500 DEBUG [qtp63401444-267] admin org.apache.http.headers - http-outgoing-4 << WWW-Authenticate: Bearer realm="https://registry.connect.redhat.com/auth/realms/rhc4tp/protocol/redhat-docker-v2/auth",service="docker-registry"
Nexus repo follows that, and gets a bearer token.
The request is then resent with the token.
This fails with a 'WWW-Authenticate: Basic realm=openshift,error="access denied"' authorization challenge. The original request is the resent with basic authentication, gets an authorization challenge with a URL to retreive a bearer token.
Nexus follows that, and the thread loops forever.
2020-03-31 11:21:05,322-0500 DEBUG [qtp63401444-267] admin org.apache.http.headers - http-outgoing-4 >> Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwiandrIjogeyJrdHkiOiJSU0EiLCJhbGciOiJSUzI1NiIsInVzZSI6InNpZyIsIm4iOiI1TWhlWnh2VU9id0NJRXVYZWJubjlNQ0JFcDlTdWUyME44SHhQTExSWjdYNUl1QTU0a3dpVUQtMXBqZ2tpamgwRXpTZGlxbTdWUExlNGl1eXZEZmJxX1d2QWNNUjVhb3RKbl9EMGllbnA5eVRpR3d5SEVQWG83MERwZ2FsN1ZOc0RCdWdTSF91SThpM3BVaHZLczAxMEwzRVFmRVkwc2hrQVZRY1hEb3JNVmhkZkd2WE84aURMODBqR1BDWmNidXpZc1BQQ0RycWd5UTl6SFctWGVMSURXUlh3YW16TE1pNGZqOXRNcXB6b3FUdkhZUUFGQWdHbTU2Umh0ZDE0SWxaU19yYnZ2aFFLMDVEUDB2MHJtZFU0SXZoTzBTcUJLRjdkN1FIbFppd09nd2ppQzktU3JORkFzSngtSy1PMzBROThpMUhKRjd2MXNCMFE1OTFzYUVZMmM3VWhXTnpqdm5DM2gtYXdtSi1TM2FJSFFGNWNObmtTbTRUN3VZWHEwRW9oMEM2cEdlMUlZSzM1RHlGZjRsZEZXVTNVQmpvUlc0dG1jd2lmNE96ZXg3eWw3NmV5WWRxeXRscXk0bmwxeWZlTXpMSTJlNm5ucWlBdFdEUTY2Y3NSTVZVb1JpdUtvZWdOZldIelRUdUZabU1OdHpNdXpsR1JFbmtJazZnZl84VUNPME9Kd1FZM2luQldGZFc2V2l4RWRwSzFxT1VEVzBjWGRQVWt0NkZhNHJzU0NUTTZvbWNvVkRiU3hWV3Fqa2JtS0ZnU1pnVjdaUUZiM2doa3E5VmhtZVlzbmpfSmc0Skxnc3JpRzlZUWlKOWljYl9TWHNuNUhJQXcyOWhFR3BEMW01Q05IZmt6SVBxbllYWmlfaXAwSGlwWjBiVU9RN3JBYXVkTHktZHlhcyIsImUiOiJBUUFCIn19.eyJqdGkiOiIwY2I1MmI3NC0wOGY2LTQ3NDItOWJkMS00ZTc1ZTAyODEyMDMiLCJleHAiOjE1ODU2NzE5NjUsIm5iZiI6MTU4NTY3MTY2NSwiaWF0IjoxNTg1NjcxNjY1LCJpc3MiOiJodHRwczovL3Nzby5yZWRoYXQuY29tL2F1dGgvcmVhbG1zL3JoYzR0cCIsImF1ZCI6ImRvY2tlci1yZWdpc3RyeSIsInN1YiI6Imd1eW5kdW1haXMiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJkb2NrZXItcmVnaXN0cnkiLCJhY2Nlc3MiOltdfQ.2aHJ2LbPR1YnCcgM_YcJC6DJv3M1PO9MKgcHiOYg5iH6XlOx_BudQhSF2U5iVeU_v7Pdmg3uaxrBGsyPFh8b_joHF54TAGHqHmRg4kOsncs-OmGX-_ZjAXMW90nlL5FFZOFwZxYhZXBQ_3dWQxBbv3s5Zpbi8P3JYqtZ0C-Oz6w7MywK_0cyfLbM1D5TVNJyT83KzO41JadPBxxBBH5yMWQEfJb1L5Yq9_qQlkhynJPVyb6uxHmAW-CoyZ3TLNl-VlOE4DNGwRKbEfM_46FaHPdRdWVVPsqsZQ1xVIfUEemFe-vSCFWAmPFIum6_ee4zkXYR2h49ZfLkLZb3br60HdA4YhBC8LsqvCHVL16CIW5q68ESSmgoRJ3FF9-FVh1ZnI_J_dHr1ayRZH8tIsIITIntsaHzXfV_ekTlm4U1xd7ygGbuyauzdbsdp4Ys7T3vvYq3U7Mp1Li_wNAff_0f9-3kWOqSohZs6hxwsu_No4xvNosoYDXkLewQOFtvj42GvEqKX3nnsj02i1SD_NuWHGg8aMuk_EUhVLhNJID_7KccoALqwrfHyr9Qs-aGyKzZkhk-DIrn0u7eiDrOIKX1-VPmflgWtTJnsQ34uzzTBEto2VUT1BXxwlqsZr-ce4N6hmPcH9Psfk5y7_ixKrTzJpwd31SpvpVYxKcNnlQbM2c 2020-03-31 11:21:05,395-0500 DEBUG [qtp63401444-267] admin org.apache.http.headers - http-outgoing-4 << HTTP/1.1 401 Unauthorized 2020-03-31 11:21:05,396-0500 DEBUG [qtp63401444-267] admin org.apache.http.headers - http-outgoing-4 << Content-Length: 162 2020-03-31 11:21:05,396-0500 DEBUG [qtp63401444-267] admin org.apache.http.headers - http-outgoing-4 << Content-Type: application/json; charset=utf-8 2020-03-31 11:21:05,396-0500 DEBUG [qtp63401444-267] admin org.apache.http.headers - http-outgoing-4 << Docker-Distribution-Api-Version: registry/2.0 2020-03-31 11:21:05,397-0500 DEBUG [qtp63401444-267] admin org.apache.http.headers - http-outgoing-4 << WWW-Authenticate: Basic realm=openshift,error="access denied" 2020-03-31 11:21:05,397-0500 DEBUG [qtp63401444-267] admin org.apache.http.headers - http-outgoing-4 << X-Registry-Supports-Signatures: 1 2020-03-31 11:21:05,397-0500 DEBUG [qtp63401444-267] admin org.apache.http.headers - http-outgoing-4 << Expires: Tue, 31 Mar 2020 16:21:05 GMT 2020-03-31 11:21:05,397-0500 DEBUG [qtp63401444-267] admin org.apache.http.headers - http-outgoing-4 << Cache-Control: max-age=0, no-cache, no-store 2020-03-31 11:21:05,397-0500 DEBUG [qtp63401444-267] admin org.apache.http.headers - http-outgoing-4 << Pragma: no-cache 2020-03-31 11:21:05,398-0500 DEBUG [qtp63401444-267] admin org.apache.http.headers - http-outgoing-4 << Date: Tue, 31 Mar 2020 16:21:05 GMT 2020-03-31 11:21:05,398-0500 DEBUG [qtp63401444-267] admin org.apache.http.headers - http-outgoing-4 << Connection: keep-alive 2020-03-31 11:21:05,398-0500 DEBUG [qtp63401444-267] admin org.apache.http.headers - http-outgoing-4 << Set-Cookie: 172555eec50a0d95563a405b15a8a45f=d8bbc5e2956a76b70c612792ef074c24; path=/; HttpOnly; Secure 2020-03-31 11:21:05,398-0500 DEBUG [qtp63401444-267] admin org.apache.http.impl.execchain.MainClientExec - Connection can be kept alive for 30000 MILLISECONDS 2020-03-31 11:21:05,399-0500 DEBUG [qtp63401444-267] admin org.apache.http.impl.auth.HttpAuthenticator - Authentication required 2020-03-31 11:21:05,399-0500 DEBUG [qtp63401444-267] admin org.apache.http.impl.auth.HttpAuthenticator - registry.connect.redhat.com:443 requested authentication 2020-03-31 11:21:05,399-0500 DEBUG [qtp63401444-267] admin org.apache.http.impl.client.TargetAuthenticationStrategy - Authentication schemes in the order of preference: [Token, Bearer, NTLM, Digest, Basic] 2020-03-31 11:21:05,399-0500 DEBUG [qtp63401444-267] admin org.apache.http.impl.client.TargetAuthenticationStrategy - Challenge for Token authentication scheme not available 2020-03-31 11:21:05,399-0500 DEBUG [qtp63401444-267] admin org.apache.http.impl.client.TargetAuthenticationStrategy - Challenge for Bearer authentication scheme not available 2020-03-31 11:21:05,400-0500 DEBUG [qtp63401444-267] admin org.apache.http.impl.client.TargetAuthenticationStrategy - Challenge for NTLM authentication scheme not available 2020-03-31 11:21:05,400-0500 DEBUG [qtp63401444-267] admin org.apache.http.impl.client.TargetAuthenticationStrategy - Challenge for Digest authentication scheme not available 2020-03-31 11:21:05,400-0500 DEBUG [qtp63401444-267] admin org.apache.http.impl.auth.HttpAuthenticator - Selected authentication options: [BASIC [complete=true]] 2020-03-31 11:21:05,400-0500 DEBUG [qtp63401444-267] admin org.apache.http.impl.conn.DefaultManagedHttpClientConnection - http-outgoing-4: set socket timeout to 20000 2020-03-31 11:21:05,401-0500 DEBUG [qtp63401444-267] admin org.apache.http.impl.execchain.MainClientExec - Executing request GET /v2/tuommaki/helloworld/manifests/latest HTTP/1.1 2020-03-31 11:21:05,401-0500 DEBUG [qtp63401444-267] admin org.apache.http.impl.execchain.MainClientExec - Target auth state: CHALLENGED 2020-03-31 11:21:05,401-0500 DEBUG [qtp63401444-267] admin org.apache.http.impl.auth.HttpAuthenticator - Generating response to an authentication challenge using basic scheme 2020-03-31 11:21:05,401-0500 DEBUG [qtp63401444-267] admin org.apache.http.impl.execchain.MainClientExec - Proxy auth state: UNCHALLENGED 2020-03-31 11:21:05,401-0500 DEBUG [qtp63401444-267] admin org.apache.http.headers - http-outgoing-4 >> GET /v2/tuommaki/helloworld/manifests/latest HTTP/1.1 2020-03-31 11:21:05,402-0500 DEBUG [qtp63401444-267] admin org.apache.http.headers - http-outgoing-4 >> Accept: application/vnd.docker.distribution.manifest.v2+json 2020-03-31 11:21:05,402-0500 DEBUG [qtp63401444-267] admin org.apache.http.headers - http-outgoing-4 >> Accept: application/vnd.docker.distribution.manifest.v1+prettyjws 2020-03-31 11:21:05,402-0500 DEBUG [qtp63401444-267] admin org.apache.http.headers - http-outgoing-4 >> Accept: application/vnd.docker.distribution.manifest.v1+json 2020-03-31 11:21:05,402-0500 DEBUG [qtp63401444-267] admin org.apache.http.headers - http-outgoing-4 >> Accept: application/json 2020-03-31 11:21:05,403-0500 DEBUG [qtp63401444-267] admin org.apache.http.headers - http-outgoing-4 >> Accept: application/vnd.docker.distribution.manifest.list.v2+json 2020-03-31 11:21:05,403-0500 DEBUG [qtp63401444-267] admin org.apache.http.headers - http-outgoing-4 >> Host: registry.connect.redhat.com 2020-03-31 11:21:05,403-0500 DEBUG [qtp63401444-267] admin org.apache.http.headers - http-outgoing-4 >> Connection: Keep-Alive 2020-03-31 11:21:05,403-0500 DEBUG [qtp63401444-267] admin org.apache.http.headers - http-outgoing-4 >> User-Agent: Nexus/3.22.0-02 (PRO; Mac OS X; 10.15.4; x86_64; 1.8.0_192) 2020-03-31 11:21:05,404-0500 DEBUG [qtp63401444-267] admin org.apache.http.headers - http-outgoing-4 >> Accept-Encoding: gzip,deflate 2020-03-31 11:21:05,404-0500 DEBUG [qtp63401444-267] admin org.apache.http.headers - http-outgoing-4 >> Authorization: Basic **************************** 2020-03-31 11:21:05,472-0500 DEBUG [qtp63401444-267] admin org.apache.http.headers - http-outgoing-4 << HTTP/1.1 401 Unauthorized