From cwolf.algo at gmail.com Mon Sep 21 15:15:20 2015 From: cwolf.algo at gmail.com (Chris Wolf) Date: Mon, 21 Sep 2015 17:15:20 -0400 Subject: [Containers] Cannot authenticate with Registry-v2 via Portus token service Message-ID: Hello, I wanted to use the Docker registry v2 because it supports access control. I found the SUSE/Portus project which implements the token service needed to access the registry. I set it up and created a user, team and namespaces. Now I want to get a list of the images in the registry via the API. I used the following as a guide to getting an access token via Portus: https://github.com/docker/distribution/blob/master/docs/spec/auth/token.md I got the token and then tried what should be the simplest action - to get a list of repositories. I followed this doc as a guide: https://github.com/docker/distribution/blob/master/docs/spec/api.md#listing-repositories ...but when I do "GET /v2/_catalog", it comes back with "invalid_token". Below, is the full request interaction. If anyone can help out be telling me what I'm doing wrong - that would be great - thanks! -Chris # initial attempt to access resource (catalog) $ curl --include http://192.168.1.142:5000/v2/_catalog HTTP/1.1 401 Unauthorized Content-Type: application/json; charset=utf-8 Docker-Distribution-Api-Version: registry/2.0 Www-Authenticate: Bearer realm="http://localhost:3000/v2/token",service="localhost:5000",scope="registry:catalog:*" Date: Mon, 21 Sep 2015 20:21:11 GMT Content-Length: 161 {"errors":[{"code":"UNAUTHORIZED","message":"access to the requested resource is not authorized","detail":[{"Type":"registry","Name":"catalog","Action":"*"}]}]} # request token for resource... $ curl --include --user cwolf 'http://192.168.1.142:3000/v2/token?service=localhost:5000&scope=registry:catalog:*' Enter host password for user 'cwolf': HTTP/1.1 200 OK X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff Content-Type: application/json; charset=utf-8 ETag: W/"c888f2d92aaa3fb9e9659ff58be009df" Cache-Control: max-age=0, private, must-revalidate Set-Cookie: _portus_session=U1M1SkxJZTlLUUpYODNDYVN4Tzh5ZGx4ZWpuUlB0bUFwVGY4cGRLVGw5M1pYQ2FYOEgvRUpoajVXMUlsejVyNXZvcGs1SlZlUFFqOHpnUCt3bUlkRkE9PS0tdCtWbjBjSzNHZllEajVKcURPK0VvZz09--a24d8e9edd764da567bc9d18cb8c6af6ee83c096; path=/; HttpOnly X-Request-Id: 11c945da-9b71-46f9-bedc-5cdced9dfac3 X-Runtime: 0.121197 Connection: close Server: thin {"token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IlBUV1Q6Rk5KRTo3VFc3OlVMSTc6RFpRQTpKSkpJOlJESlE6Mk03NjpIRDZHOlpSU0M6VlBJRjpPNUJVIn0.eyJpc3MiOiJwb3J0dXMudGVzdC5sYW4iLCJzdWIiOm51bGwsImF1ZCI6ImxvY2FsaG9zdDo1MDAwIiwiaWF0IjoxNDQyODY2OTc5LCJuYmYiOjE0NDI4NjY5NzQsImV4cCI6MTQ0Mjg2NzI3OSwianRpIjoiaG9kcEN4TEF3MWh6TmRWWW9xMjh1VU5Lc2tDekNTYlRDbURDVGpyeGNXIiwiYWNjZXNzIjpbeyJ0eXBlIjoicmVnaXN0cnkiLCJuYW1lIjoiY2F0YWxvZyIsImFjdGlvbnMiOlsiKiJdfV19.nqiYlLoDYQt9w_-fQFcCSW0THeMss119JxqZnpg0ZE89h3VBl89rMFn78vCNQ9n7tTotKvjtlKJptegq7Vvpahj8qGNXEvAyaSyTKot8JX_VtbY7HQ-TaHSg2Kt0QKiF4IO-esTwxN-PAySQlAXeE4bWUM_rafHRuJ03E7UawgYlVADjLgvtbwqJAWztDyK1vTPnEkf4xT1bVT_XC6q12R5-Uuo4E-IyutZWuqoldHcDdMluqUXNKicBVX5LMkalOqB0DHgVTlQJoIaX2Rsuzd-DCGHy2tPgOkmaqCrbji1FZhIoczpD3JTJZ-MOI-wkg6qBsQ-49HOd7GpIrSzRsWt5Umy3nr9CQEsn4FWFJJW2M88oThGczbijZAE047yUCwYoFsMuxH_4KCcOZXqXPuXN_lJFR75q8GYqowb1TasTxdy2qtmtpm6AF3WgUJlQEI59jzsc2cocCwc2Psccs11mJJOCDtf8awnunue0PY0mp68KuhEWI5eyEqONuBQQLCEnhaq9RNooaRysmIKHVeuL-C2kiyFS21RQfPuAiwQFmvw0Xwaw5Fk1jCDNq57UXJbJxCdW6R8gwStnrhnkY7lO793mYrl-ern8xabmxcaiBezAltPNdXhZmkfMtYM_VPRZn3kvMKnPNvG46sZVaS6mrUDAYGsyyhyo5EqqrFM"} # Now, retry initial request, this time using token $ curl --include -H "Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IlBUV1Q6Rk5KRTo3VFc3OlVMSTc6RFpRQTpKSkpJOlJESlE6Mk03NjpIRDZHOlpSU0M6VlBJRjpPNUJVIn0.eyJpc3MiOiJwb3J0dXMudGVzdC5sYW4iLCJzdWIiOm51bGwsImF1ZCI6ImxvY2FsaG9zdDo1MDAwIiwiaWF0IjoxNDQyODY2OTc5LCJuYmYiOjE0NDI4NjY5NzQsImV4cCI6MTQ0Mjg2NzI3OSwianRpIjoiaG9kcEN4TEF3MWh6TmRWWW9xMjh1VU5Lc2tDekNTYlRDbURDVGpyeGNXIiwiYWNjZXNzIjpbeyJ0eXBlIjoicmVnaXN0cnkiLCJuYW1lIjoiY2F0YWxvZyIsImFjdGlvbnMiOlsiKiJdfV19.nqiYlLoDYQt9w_-fQFcCSW0THeMss119JxqZnpg0ZE89h3VBl89rMFn78vCNQ9n7tTotKvjtlKJptegq7Vvpahj8qGNXEvAyaSyTKot8JX_VtbY7HQ-TaHSg2Kt0QKiF4IO-esTwxN-PAySQlAXeE4bWUM_rafHRuJ03E7UawgYlVADjLgvtbwqJAWztDyK1vTPnEkf4xT1bVT_XC6q12R5-Uuo4E-IyutZWuqoldHcDdMluqUXNKicBVX5LMkalOqB0DHgVTlQJoIaX2Rsuzd-DCGHy2tPgOkmaqCrbji1FZhIoczpD3JTJZ-MOI-wkg6qBsQ-49HOd7GpIrSzRsWt5Umy3nr9CQEsn4FWFJJW2M88oThGczbijZAE047yUCwYoFsMuxH_4KCcOZXqXPuXN_lJFR75q8GYqowb1TasTxdy2qtmtpm6AF3WgUJlQEI59jzsc2cocCwc2Psccs11mJJOCDtf8awnunue0PY0mp68KuhEWI5eyEqONuBQQLCEnhaq9RNooaRysmIKHVeuL-C2kiyFS21RQfPuAiwQFmvw0Xwaw5Fk1jCDNq57UXJbJxCdW6R8gwStnrhnkY7lO793mYrl-ern8xabmxcaiBezAltPNdXhZmkfMtYM_VPRZn3kvMKnPNvG46sZVaS6mrUDAYGsyyhyo5Eqqr" http://localhost:5000/v2/_catalog HTTP/1.1 401 Unauthorized Content-Type: application/json; charset=utf-8 Docker-Distribution-Api-Version: registry/2.0 Www-Authenticate: Bearer realm="http://localhost:3000/v2/token",service="localhost:5000",scope="registry:catalog:*",error="invalid_token" Date: Mon, 21 Sep 2015 20:27:31 GMT Content-Length: 161 {"errors":[{"code":"UNAUTHORIZED","message":"access to the requested resource is not authorized","detail":[{"Type":"registry","Name":"catalog","Action":"*"}]}]} From cwolf.algo at gmail.com Mon Sep 21 15:41:26 2015 From: cwolf.algo at gmail.com (Chris Wolf) Date: Mon, 21 Sep 2015 17:41:26 -0400 Subject: [Containers] Cannot authenticate with Registry-v2 via Portus token service *** DISREGARD *** Message-ID: The issue I was having was messing up copy/pasting big, long token strings. The token auth service works fine, as shown below. Regards, Chris Wolf # attempt to access catalog resource $ curl --include http://192.168.1.142:5000/v2/_catalog HTTP/1.1 401 Unauthorized Content-Type: application/json; charset=utf-8 Docker-Distribution-Api-Version: registry/2.0 Www-Authenticate: Bearer realm="http://localhost:3000/v2/token",service="localhost:5000",scope="registry:catalog:*" Date: Mon, 21 Sep 2015 20:21:11 GMT Content-Length: 161 {"errors":[{"code":"UNAUTHORIZED","message":"access to the requested resource is not authorized","detail":[{"Type":"registry","Name":"catalog","Action":"*"}]}]} # get auth token to access resource... $ curl --include --user cwolf 'http://192.168.1.142:3000/v2/token?service=localhost:5000&scope=registry:catalog:*' Enter host password for user 'cwolf': HTTP/1.1 200 OK X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff Content-Type: application/json; charset=utf-8 ETag: W/"a909904f123cab7b6402cbe0f78a2e95" Cache-Control: max-age=0, private, must-revalidate Set-Cookie: _portus_session=VzFacjc2WW9VVVB6eUFSbXdmRndRUDJObTBVY0Z3bHdoKzI3ZWNuTGxMVG1UTndVcU9NRjhraUlld1VWQnhYL1EzNmMzOUJDUVB2cjZVam96cTdoanc9PS0teUQ4RlA3b0FLZTJsbkxFZmhPWHJtZz09--34d368eb343f2b6f27d4c5550f21430211bb6e02; path=/; HttpOnly X-Request-Id: 7e455fad-b58b-4df0-8d63-2adfcc6508d8 X-Runtime: 0.135983 Connection: close Server: thin {"token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IlBUV1Q6Rk5KRTo3VFc3OlVMSTc6RFpRQTpKSkpJOlJESlE6Mk03NjpIRDZHOlpSU0M6VlBJRjpPNUJVIn0.eyJpc3MiOiJwb3J0dXMudGVzdC5sYW4iLCJzdWIiOm51bGwsImF1ZCI6ImxvY2FsaG9zdDo1MDAwIiwiaWF0IjoxNDQyODcwNzY4LCJuYmYiOjE0NDI4NzA3NjMsImV4cCI6MTQ0Mjg3MTA2OCwianRpIjoiUzZLdlVZNkZnSnpTOXFrbWVvOWJ0RlZNUENaZmdOWXZKQ29oOXBxQmJ4IiwiYWNjZXNzIjpbeyJ0eXBlIjoicmVnaXN0cnkiLCJuYW1lIjoiY2F0YWxvZyIsImFjdGlvbnMiOlsiKiJdfV19.sAi-3DJH0WO_K4jNFzfq7jMTOnvMSsBYSwszZxFcy3yRijoDOCcGef-GwlvkNMJ1I3tjIgQTC1mzqGMUc0nGMLUd81kJbfyu72kTpPNcW1JmLDt0XgNQ4dzlgR_RQRSq3ieBqjx266_FbK6PULMPxPJB2KOT_79uhd3PftUa1522OoJEminmOmHX83Zm_VZ-vbCQO9s0J4esxVlw2FLb-S3SfPK8_kN3cOj4NfleraQH4bYmYcTO7MFKNd89VmlZgAiingDRz2_W4fiT6xh2S2qcSvzJhCWL5nxY20eN4enpqUPTTHwVK7zhjG-KcM0Q2PoZIW1tuhyfnu-YrBMUJptDcxLUEQfKZOxHnpkzTDrqvn4eeY1lMTC2jKt02pxZTXZDoEQvBuMy8vPSMWZwaUc4JyxxCGPwdWvJgogSAH1XQO8gArq8zAarcSbcEgyCVMpAgmpFcL4PV_vW4G5e0FHGGZtD_X2ZOP0Q9xF0wJgwD_UWExeoBu5r5SD_1wL6y-_cExSIGrVTVl90VejUq0d_dECR_25Mt7tOVdkaUwJdWbJOtfueNenJqYGQKeVfE83_G7l3YvCHJ2_JDWO6sR95mrPiOm3EtCPc5bDzqWfrRAoUGZUThPOhkitjqTO9TuJNB_48-xTcSg6zDGNikMm_BcmSwEQWHPq2EtMWL2E"} # Now use token to access resource... $ curl --include -H "Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IlBUV1Q6Rk5KRTo3VFc3OlVMSTc6RFpRQTpKSkpJOlJESlE6Mk03NjpIRDZHOlpSU0M6VlBJRjpPNUJVIn0.eyJpc3MiOiJwb3J0dXMudGVzdC5sYW4iLCJzdWIiOm51bGwsImF1ZCI6ImxvY2FsaG9zdDo1MDAwIiwiaWF0IjoxNDQyODcwNzY4LCJuYmYiOjE0NDI4NzA3NjMsImV4cCI6MTQ0Mjg3MTA2OCwianRpIjoiUzZLdlVZNkZnSnpTOXFrbWVvOWJ0RlZNUENaZmdOWXZKQ29oOXBxQmJ4IiwiYWNjZXNzIjpbeyJ0eXBlIjoicmVnaXN0cnkiLCJuYW1lIjoiY2F0YWxvZyIsImFjdGlvbnMiOlsiKiJdfV19.sAi-3DJH0WO_K4jNFzfq7jMTOnvMSsBYSwszZxFcy3yRijoDOCcGef-GwlvkNMJ1I3tjIgQTC1mzqGMUc0nGMLUd81kJbfyu72kTpPNcW1JmLDt0XgNQ4dzlgR_RQRSq3ieBqjx266_FbK6PULMPxPJB2KOT_79uhd3PftUa1522OoJEminmOmHX83Zm_VZ-vbCQO9s0J4esxVlw2FLb-S3SfPK8_kN3cOj4NfleraQH4bYmYcTO7MFKNd89VmlZgAiingDRz2_W4fiT6xh2S2qcSvzJhCWL5nxY20eN4enpqUPTTHwVK7zhjG-KcM0Q2PoZIW1tuhyfnu-YrBMUJptDcxLUEQfKZOxHnpkzTDrqvn4eeY1lMTC2jKt02pxZTXZDoEQvBuMy8vPSMWZwaUc4JyxxCGPwdWvJgogSAH1XQO8gArq8zAarcSbcEgyCVMpAgmpFcL4PV_vW4G5e0FHGGZtD_X2ZOP0Q9xF0wJgwD_UWExeoBu5r5SD_1wL6y-_cExSIGrVTVl90VejUq0d_dECR_25Mt7tOVdkaUwJdWbJOtfueNenJqYGQKeVfE83_G7l3YvCHJ2_JDWO6sR95mrPiOm3EtCPc5bDzqWfrRAoUGZUThPOhkitjqTO9TuJNB_48-xTcSg6zDGNikMm_BcmSwEQWHPq2EtMWL2E" http://localhost:5000/v2/_catalog HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8 Docker-Distribution-Api-Version: registry/2.0 Date: Mon, 21 Sep 2015 21:27:50 GMT Content-Length: 34 {"repositories":["cwolfbusybox"]}