Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-9838

Invalid scope specification for Docker hub authentication

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Done
    • Affects Version/s: 3.0.0-m7, 3.0.0
    • Fix Version/s: 3.0.0
    • Component/s: Docker, Documentation
    • Labels:
      None
    • Story Points:
      3
    • Sprint:
      Sprint 65 - Föhn

      Description

      Description


      The Docker proxy recipe for Docker hub may perform a pull using the v1 API for the registry, but not v2. The basis for this following explanation is the Docker Registry v2 authentication via central service and Docker Registry v2 Bearer token specification.

      When attempt to perform a pull from an official library

      $ docker pull centos:5
      

      The following log entries are produced (with some information not included)

      2016-02-17 19:40:27,269-0700 Fetching: GET https://registry-1.docker.io/v2/centos/manifests/5 HTTP/1.1
      2016-02-17 19:40:28,034-0700 Fetching: GET https://auth.docker.io/token?service=registry.docker.io&scope=repository:centos:pull HTTP/1.1
      2016-02-17 19:40:28,482-0700 Response: HttpResponseProxy{ HTTP/1.1 200 OK [Content-Type: application/json, Date: Thu,18 Feb 2016 02:40:28 GMT, Content-Length: 1358, Strict-Transport-Security: max-age=31536000] ResponseEntityProxy{[Content-Type: application/json,Content-Length: 1358,Chunked: false]}}
      2016-02-17 19:40:28,628-0700 Error: GET /v2/centos/manifests/5: 401 - ... access to the requested resource is not authorized

      When the same sequence is performed manually, the result, obviously, remains the same. When authenticating anonymously the following access is included in the resultant JWT token

      {
          "access": []
      }
      

      The request that should be made is the following

      https://auth.docker.io/token?service=registry.docker.io&scope=repository:library/centos:pull

      Notice the inclusion of the library and the result when the token is requested is

      {
          "access": [
              {
                  "type": "repository",
                  "name": "library/centos",
                  "actions": [
                      "pull"
                  ]
              }
          ]
      }
      

      The request for the manifest should also include library

      GET /v2/library/centos/manifests/5

      The documentation for 3.0 alludes to the library in section 9.10. Pulling Images. However, the examples do not include the library and, when not included, the application, as it should, reverts to v1 and produces the following warning

      $ docker pull private-registry:18444/centos:5
      ...
      private-registry:18444/centos: this image was pulled from a legacy registry. Important: This registry version will not be supported in future versions of docker.

      Suggested Actions


      In order to avoid confusion

      • the documentation should be updated to explain the need to include the library registry
      • the code should be updated to include library when not specified in the pull request

      Workaround


      In order to avoid falling back to v1 and the warning message, include the library when needed.

      $ docker pull private-registry:18444/library/centos:5

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              dwallace Dulani Wallace
              Reporter:
              bkeyser-arrow Brian Keyser
              Last Updated By:
              Peter Lynch Peter Lynch
              Votes:
              1 Vote for this issue
              Watchers:
              7 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Date of First Response:

                  tigCommentSecurity.panel-title