0

Hello I need to clarify docker daemon documentation on registry with Auth. I have found docker docs I also found godocs for docker registry. I searched the auth process, but I could not find anything that would help me understand the sentence:

Resource Name

The resource name represent the name which identifies a resource for a resource provider. A resource is identified by this name and the provided resource type. An example of a resource name would be the name component of an image tag, such as “samalba/myapp” or “hostname/samalba/myapp”.

If I do e.g. docker push myprivregistry/project:TESTPASSED does the docker daemon include tag "TESTPASSED" in it's query against auth server?

The auth process is described in docker docs Token Authentication Specification

How exactly does the request no. 3 look like?

Community
  • 1
dosmanak
  • 161
  • 1
  • 6

1 Answers1

0

So I faked auth server using crafted JWT token signed using the RSA key trusted by docker registry.

The crafted JWT has following claim, so the push of "registry" repository should be possible:

  "access": [
    {
      "type": "repository",
      "name": "registry",
      "actions": [
        "pull",
        "push"
      ]
    }
  ],

I succesfully logged in using docker login, then I tried to push using docker push localhost:5000/registry:registry_test2

The request against auth service looks like:


POST /auth.json HTTP/1.1
Host: 172.17.0.1:80
User-Agent: docker/17.05.0-ce go/go1.7.5 git-commit/89658be kernel/4.13.0-41-generic os/linux arch/amd64 UpstreamClient(Docker-Client/17.05.0-ce \(linux\))
Content-Length: 149
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip
Connection: close

client_id=docker&grant_type=refresh_token&refresh_token=tGzv3JOkF0XG5Qx2TlKWIA&scope=repository%3Aregistry%3Apush%2Cpull&service=test.docker.registry

From the POST body I can see only the repository name "registry" and allowed actions are present, but I cannot see image tag.

So the answer for my question is NO, the image tag is not part of authentication request against the auth service.

dosmanak
  • 161
  • 1
  • 6