[NEXUS-23360] Infinite loop for authorization in registry.connect.redhat.com docker proxy - Sonatype JIRA

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 3.18.1, 3.22.0
Fix Version/s: 3.23.0
Component/s: Docker
Labels:
- aop-maintenance
- supportant

Notability:
2

Description

Set up a docker proxy repository with remote of https://registry.connect.redhat.com.
Configure valid redhat login credentials in the http options
Make a request for /v2/tuommaki/helloworld/manifests/latest to the proxy:

https://localhost:8081/repositry/docker-connnect-redhat/v2/tuommaki/helloworld/manifests/latest

The request thread will never return.

Analysis shows the request is made to the remote:

https://registry.connect.redhat.com/v2/tuommaki/helloworld/manifests/latest

This gets a WWW-Authenticate response with a URL to retrieve a bearer token:

2020-03-31 11:00:24,569-0500 DEBUG [qtp63401444-267]  admin org.apache.http.headers - http-outgoing-4 << WWW-Authenticate: Bearer realm="https://registry.connect.redhat.com/auth/realms/rhc4tp/protocol/redhat-docker-v2/auth",service="docker-registry"

Nexus repo follows that, and gets a bearer token.

The request is then resent with the token.

This fails with a 'WWW-Authenticate: Basic realm=openshift,error="access denied"' authorization challenge. The original request is the resent with basic authentication, gets an authorization challenge with a URL to retreive a bearer token.

Nexus follows that, and the thread loops forever.

2020-03-31 11:21:05,322-0500 DEBUG [qtp63401444-267]  admin org.apache.http.headers - http-outgoing-4 >> Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwiandrIjogeyJrdHkiOiJSU0EiLCJhbGciOiJSUzI1NiIsInVzZSI6InNpZyIsIm4iOiI1TWhlWnh2VU9id0NJRXVYZWJubjlNQ0JFcDlTdWUyME44SHhQTExSWjdYNUl1QTU0a3dpVUQtMXBqZ2tpamgwRXpTZGlxbTdWUExlNGl1eXZEZmJxX1d2QWNNUjVhb3RKbl9EMGllbnA5eVRpR3d5SEVQWG83MERwZ2FsN1ZOc0RCdWdTSF91SThpM3BVaHZLczAxMEwzRVFmRVkwc2hrQVZRY1hEb3JNVmhkZkd2WE84aURMODBqR1BDWmNidXpZc1BQQ0RycWd5UTl6SFctWGVMSURXUlh3YW16TE1pNGZqOXRNcXB6b3FUdkhZUUFGQWdHbTU2Umh0ZDE0SWxaU19yYnZ2aFFLMDVEUDB2MHJtZFU0SXZoTzBTcUJLRjdkN1FIbFppd09nd2ppQzktU3JORkFzSngtSy1PMzBROThpMUhKRjd2MXNCMFE1OTFzYUVZMmM3VWhXTnpqdm5DM2gtYXdtSi1TM2FJSFFGNWNObmtTbTRUN3VZWHEwRW9oMEM2cEdlMUlZSzM1RHlGZjRsZEZXVTNVQmpvUlc0dG1jd2lmNE96ZXg3eWw3NmV5WWRxeXRscXk0bmwxeWZlTXpMSTJlNm5ucWlBdFdEUTY2Y3NSTVZVb1JpdUtvZWdOZldIelRUdUZabU1OdHpNdXpsR1JFbmtJazZnZl84VUNPME9Kd1FZM2luQldGZFc2V2l4RWRwSzFxT1VEVzBjWGRQVWt0NkZhNHJzU0NUTTZvbWNvVkRiU3hWV3Fqa2JtS0ZnU1pnVjdaUUZiM2doa3E5VmhtZVlzbmpfSmc0Skxnc3JpRzlZUWlKOWljYl9TWHNuNUhJQXcyOWhFR3BEMW01Q05IZmt6SVBxbllYWmlfaXAwSGlwWjBiVU9RN3JBYXVkTHktZHlhcyIsImUiOiJBUUFCIn19.eyJqdGkiOiIwY2I1MmI3NC0wOGY2LTQ3NDItOWJkMS00ZTc1ZTAyODEyMDMiLCJleHAiOjE1ODU2NzE5NjUsIm5iZiI6MTU4NTY3MTY2NSwiaWF0IjoxNTg1NjcxNjY1LCJpc3MiOiJodHRwczovL3Nzby5yZWRoYXQuY29tL2F1dGgvcmVhbG1zL3JoYzR0cCIsImF1ZCI6ImRvY2tlci1yZWdpc3RyeSIsInN1YiI6Imd1eW5kdW1haXMiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJkb2NrZXItcmVnaXN0cnkiLCJhY2Nlc3MiOltdfQ.2aHJ2LbPR1YnCcgM_YcJC6DJv3M1PO9MKgcHiOYg5iH6XlOx_BudQhSF2U5iVeU_v7Pdmg3uaxrBGsyPFh8b_joHF54TAGHqHmRg4kOsncs-OmGX-_ZjAXMW90nlL5FFZOFwZxYhZXBQ_3dWQxBbv3s5Zpbi8P3JYqtZ0C-Oz6w7MywK_0cyfLbM1D5TVNJyT83KzO41JadPBxxBBH5yMWQEfJb1L5Yq9_qQlkhynJPVyb6uxHmAW-CoyZ3TLNl-VlOE4DNGwRKbEfM_46FaHPdRdWVVPsqsZQ1xVIfUEemFe-vSCFWAmPFIum6_ee4zkXYR2h49ZfLkLZb3br60HdA4YhBC8LsqvCHVL16CIW5q68ESSmgoRJ3FF9-FVh1ZnI_J_dHr1ayRZH8tIsIITIntsaHzXfV_ekTlm4U1xd7ygGbuyauzdbsdp4Ys7T3vvYq3U7Mp1Li_wNAff_0f9-3kWOqSohZs6hxwsu_No4xvNosoYDXkLewQOFtvj42GvEqKX3nnsj02i1SD_NuWHGg8aMuk_EUhVLhNJID_7KccoALqwrfHyr9Qs-aGyKzZkhk-DIrn0u7eiDrOIKX1-VPmflgWtTJnsQ34uzzTBEto2VUT1BXxwlqsZr-ce4N6hmPcH9Psfk5y7_ixKrTzJpwd31SpvpVYxKcNnlQbM2c
2020-03-31 11:21:05,395-0500 DEBUG [qtp63401444-267]  admin org.apache.http.headers - http-outgoing-4 << HTTP/1.1 401 Unauthorized
2020-03-31 11:21:05,396-0500 DEBUG [qtp63401444-267]  admin org.apache.http.headers - http-outgoing-4 << Content-Length: 162
2020-03-31 11:21:05,396-0500 DEBUG [qtp63401444-267]  admin org.apache.http.headers - http-outgoing-4 << Content-Type: application/json; charset=utf-8
2020-03-31 11:21:05,396-0500 DEBUG [qtp63401444-267]  admin org.apache.http.headers - http-outgoing-4 << Docker-Distribution-Api-Version: registry/2.0
2020-03-31 11:21:05,397-0500 DEBUG [qtp63401444-267]  admin org.apache.http.headers - http-outgoing-4 << WWW-Authenticate: Basic realm=openshift,error="access denied"
2020-03-31 11:21:05,397-0500 DEBUG [qtp63401444-267]  admin org.apache.http.headers - http-outgoing-4 << X-Registry-Supports-Signatures: 1
2020-03-31 11:21:05,397-0500 DEBUG [qtp63401444-267]  admin org.apache.http.headers - http-outgoing-4 << Expires: Tue, 31 Mar 2020 16:21:05 GMT
2020-03-31 11:21:05,397-0500 DEBUG [qtp63401444-267]  admin org.apache.http.headers - http-outgoing-4 << Cache-Control: max-age=0, no-cache, no-store
2020-03-31 11:21:05,397-0500 DEBUG [qtp63401444-267]  admin org.apache.http.headers - http-outgoing-4 << Pragma: no-cache
2020-03-31 11:21:05,398-0500 DEBUG [qtp63401444-267]  admin org.apache.http.headers - http-outgoing-4 << Date: Tue, 31 Mar 2020 16:21:05 GMT
2020-03-31 11:21:05,398-0500 DEBUG [qtp63401444-267]  admin org.apache.http.headers - http-outgoing-4 << Connection: keep-alive
2020-03-31 11:21:05,398-0500 DEBUG [qtp63401444-267]  admin org.apache.http.headers - http-outgoing-4 << Set-Cookie: 172555eec50a0d95563a405b15a8a45f=d8bbc5e2956a76b70c612792ef074c24; path=/; HttpOnly; Secure
2020-03-31 11:21:05,398-0500 DEBUG [qtp63401444-267]  admin org.apache.http.impl.execchain.MainClientExec - Connection can be kept alive for 30000 MILLISECONDS
2020-03-31 11:21:05,399-0500 DEBUG [qtp63401444-267]  admin org.apache.http.impl.auth.HttpAuthenticator - Authentication required
2020-03-31 11:21:05,399-0500 DEBUG [qtp63401444-267]  admin org.apache.http.impl.auth.HttpAuthenticator - registry.connect.redhat.com:443 requested authentication
2020-03-31 11:21:05,399-0500 DEBUG [qtp63401444-267]  admin org.apache.http.impl.client.TargetAuthenticationStrategy - Authentication schemes in the order of preference: [Token, Bearer, NTLM, Digest, Basic]
2020-03-31 11:21:05,399-0500 DEBUG [qtp63401444-267]  admin org.apache.http.impl.client.TargetAuthenticationStrategy - Challenge for Token authentication scheme not available
2020-03-31 11:21:05,399-0500 DEBUG [qtp63401444-267]  admin org.apache.http.impl.client.TargetAuthenticationStrategy - Challenge for Bearer authentication scheme not available
2020-03-31 11:21:05,400-0500 DEBUG [qtp63401444-267]  admin org.apache.http.impl.client.TargetAuthenticationStrategy - Challenge for NTLM authentication scheme not available
2020-03-31 11:21:05,400-0500 DEBUG [qtp63401444-267]  admin org.apache.http.impl.client.TargetAuthenticationStrategy - Challenge for Digest authentication scheme not available
2020-03-31 11:21:05,400-0500 DEBUG [qtp63401444-267]  admin org.apache.http.impl.auth.HttpAuthenticator - Selected authentication options: [BASIC [complete=true]]
2020-03-31 11:21:05,400-0500 DEBUG [qtp63401444-267]  admin org.apache.http.impl.conn.DefaultManagedHttpClientConnection - http-outgoing-4: set socket timeout to 20000
2020-03-31 11:21:05,401-0500 DEBUG [qtp63401444-267]  admin org.apache.http.impl.execchain.MainClientExec - Executing request GET /v2/tuommaki/helloworld/manifests/latest HTTP/1.1
2020-03-31 11:21:05,401-0500 DEBUG [qtp63401444-267]  admin org.apache.http.impl.execchain.MainClientExec - Target auth state: CHALLENGED
2020-03-31 11:21:05,401-0500 DEBUG [qtp63401444-267]  admin org.apache.http.impl.auth.HttpAuthenticator - Generating response to an authentication challenge using basic scheme
2020-03-31 11:21:05,401-0500 DEBUG [qtp63401444-267]  admin org.apache.http.impl.execchain.MainClientExec - Proxy auth state: UNCHALLENGED
2020-03-31 11:21:05,401-0500 DEBUG [qtp63401444-267]  admin org.apache.http.headers - http-outgoing-4 >> GET /v2/tuommaki/helloworld/manifests/latest HTTP/1.1
2020-03-31 11:21:05,402-0500 DEBUG [qtp63401444-267]  admin org.apache.http.headers - http-outgoing-4 >> Accept: application/vnd.docker.distribution.manifest.v2+json
2020-03-31 11:21:05,402-0500 DEBUG [qtp63401444-267]  admin org.apache.http.headers - http-outgoing-4 >> Accept: application/vnd.docker.distribution.manifest.v1+prettyjws
2020-03-31 11:21:05,402-0500 DEBUG [qtp63401444-267]  admin org.apache.http.headers - http-outgoing-4 >> Accept: application/vnd.docker.distribution.manifest.v1+json
2020-03-31 11:21:05,402-0500 DEBUG [qtp63401444-267]  admin org.apache.http.headers - http-outgoing-4 >> Accept: application/json
2020-03-31 11:21:05,403-0500 DEBUG [qtp63401444-267]  admin org.apache.http.headers - http-outgoing-4 >> Accept: application/vnd.docker.distribution.manifest.list.v2+json
2020-03-31 11:21:05,403-0500 DEBUG [qtp63401444-267]  admin org.apache.http.headers - http-outgoing-4 >> Host: registry.connect.redhat.com
2020-03-31 11:21:05,403-0500 DEBUG [qtp63401444-267]  admin org.apache.http.headers - http-outgoing-4 >> Connection: Keep-Alive
2020-03-31 11:21:05,403-0500 DEBUG [qtp63401444-267]  admin org.apache.http.headers - http-outgoing-4 >> User-Agent: Nexus/3.22.0-02 (PRO; Mac OS X; 10.15.4; x86_64; 1.8.0_192)
2020-03-31 11:21:05,404-0500 DEBUG [qtp63401444-267]  admin org.apache.http.headers - http-outgoing-4 >> Accept-Encoding: gzip,deflate
2020-03-31 11:21:05,404-0500 DEBUG [qtp63401444-267]  admin org.apache.http.headers - http-outgoing-4 >> Authorization: Basic ****************************
2020-03-31 11:21:05,472-0500 DEBUG [qtp63401444-267]  admin org.apache.http.headers - http-outgoing-4 << HTTP/1.1 401 Unauthorized

Attachments

Options
- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

Attachments

screenshot-1.png
04/10/20 06:56 AM
231 kB
Artem Ishchenko
screenshot-2.png
04/10/20 07:07 AM
229 kB
Artem Ishchenko
screenshot-3.png
04/10/20 07:20 AM
545 kB
Artem Ishchenko

Infinite loop for authorization in registry.connect.redhat.com docker proxy

Details

Description

Attachments

Attachments

Activity

People

Dates

tigCommentSecurity.panel-title