[Containers] Cannot authenticate with Registry-v2 via Portus token service

Chris Wolf cwolf.algo at gmail.com
Mon Sep 21 15:15:20 MDT 2015 

Hello,

I wanted to use the Docker registry v2 because it supports access
control.  I found the SUSE/Portus project which implements the token
service needed to access the registry.  I set it up and created a
user, team and namespaces.  Now I want to get a list of the images in
the registry via the API.

I used the following as a guide to getting an access token via Portus:

https://github.com/docker/distribution/blob/master/docs/spec/auth/token.md

I got the token and then tried what should be the simplest action - to
get a list of repositories.  I followed this doc as a guide:

https://github.com/docker/distribution/blob/master/docs/spec/api.md#listing-repositories

...but when I do "GET /v2/_catalog", it comes back with "invalid_token".


Below, is the full request interaction.  If anyone can help out be
telling me what I'm doing wrong - that would be great - thanks!

   -Chris



# initial attempt to access resource (catalog)

$ curl --include http://192.168.1.142:5000/v2/_catalog
HTTP/1.1 401 Unauthorized
Content-Type: application/json; charset=utf-8
Docker-Distribution-Api-Version: registry/2.0
Www-Authenticate: Bearer
realm="http://localhost:3000/v2/token",service="localhost:5000",scope="registry:catalog:*"
Date: Mon, 21 Sep 2015 20:21:11 GMT
Content-Length: 161

{"errors":[{"code":"UNAUTHORIZED","message":"access to the requested
resource is not
authorized","detail":[{"Type":"registry","Name":"catalog","Action":"*"}]}]}

# request token for resource...

$ curl --include --user cwolf
'http://192.168.1.142:3000/v2/token?service=localhost:5000&scope=registry:catalog:*'
Enter host password for user 'cwolf':
HTTP/1.1 200 OK
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Type: application/json; charset=utf-8
ETag: W/"c888f2d92aaa3fb9e9659ff58be009df"
Cache-Control: max-age=0, private, must-revalidate
Set-Cookie: _portus_session=U1M1SkxJZTlLUUpYODNDYVN4Tzh5ZGx4ZWpuUlB0bUFwVGY4cGRLVGw5M1pYQ2FYOEgvRUpoajVXMUlsejVyNXZvcGs1SlZlUFFqOHpnUCt3bUlkRkE9PS0tdCtWbjBjSzNHZllEajVKcURPK0VvZz09--a24d8e9edd764da567bc9d18cb8c6af6ee83c096;
path=/; HttpOnly
X-Request-Id: 11c945da-9b71-46f9-bedc-5cdced9dfac3
X-Runtime: 0.121197
Connection: close
Server: thin

{"token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IlBUV1Q6Rk5KRTo3VFc3OlVMSTc6RFpRQTpKSkpJOlJESlE6Mk03NjpIRDZHOlpSU0M6VlBJRjpPNUJVIn0.eyJpc3MiOiJwb3J0dXMudGVzdC5sYW4iLCJzdWIiOm51bGwsImF1ZCI6ImxvY2FsaG9zdDo1MDAwIiwiaWF0IjoxNDQyODY2OTc5LCJuYmYiOjE0NDI4NjY5NzQsImV4cCI6MTQ0Mjg2NzI3OSwianRpIjoiaG9kcEN4TEF3MWh6TmRWWW9xMjh1VU5Lc2tDekNTYlRDbURDVGpyeGNXIiwiYWNjZXNzIjpbeyJ0eXBlIjoicmVnaXN0cnkiLCJuYW1lIjoiY2F0YWxvZyIsImFjdGlvbnMiOlsiKiJdfV19.nqiYlLoDYQt9w_-fQFcCSW0THeMss119JxqZnpg0ZE89h3VBl89rMFn78vCNQ9n7tTotKvjtlKJptegq7Vvpahj8qGNXEvAyaSyTKot8JX_VtbY7HQ-TaHSg2Kt0QKiF4IO-esTwxN-PAySQlAXeE4bWUM_rafHRuJ03E7UawgYlVADjLgvtbwqJAWztDyK1vTPnEkf4xT1bVT_XC6q12R5-Uuo4E-IyutZWuqoldHcDdMluqUXNKicBVX5LMkalOqB0DHgVTlQJoIaX2Rsuzd-DCGHy2tPgOkmaqCrbji1FZhIoczpD3JTJZ-MOI-wkg6qBsQ-49HOd7GpIrSzRsWt5Umy3nr9CQEsn4FWFJJW2M88oThGczbijZAE047yUCwYoFsMuxH_4KCcOZXqXPuXN_lJFR75q8GYqowb1TasTxdy2qtmtpm6AF3WgUJlQEI59jzsc2cocCwc2Psccs11mJJOCDtf8awnunue0PY0mp68KuhEWI5eyEqONuBQQLCEnhaq9RNooaRysmIKHVeuL-C2kiyFS21RQfPuAiwQFmvw0Xwaw5Fk1jCDNq57UXJbJxCdW6R8gwStnrhnkY7lO793mYrl-ern8xabmxcaiBezAltPNdXhZmkfMtYM_VPRZn3kvMKnPNvG46sZVaS6mrUDAYGsyyhyo5EqqrFM"}

#  Now, retry initial request, this time using token

$ curl --include -H "Authorization: Bearer
eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IlBUV1Q6Rk5KRTo3VFc3OlVMSTc6RFpRQTpKSkpJOlJESlE6Mk03NjpIRDZHOlpSU0M6VlBJRjpPNUJVIn0.eyJpc3MiOiJwb3J0dXMudGVzdC5sYW4iLCJzdWIiOm51bGwsImF1ZCI6ImxvY2FsaG9zdDo1MDAwIiwiaWF0IjoxNDQyODY2OTc5LCJuYmYiOjE0NDI4NjY5NzQsImV4cCI6MTQ0Mjg2NzI3OSwianRpIjoiaG9kcEN4TEF3MWh6TmRWWW9xMjh1VU5Lc2tDekNTYlRDbURDVGpyeGNXIiwiYWNjZXNzIjpbeyJ0eXBlIjoicmVnaXN0cnkiLCJuYW1lIjoiY2F0YWxvZyIsImFjdGlvbnMiOlsiKiJdfV19.nqiYlLoDYQt9w_-fQFcCSW0THeMss119JxqZnpg0ZE89h3VBl89rMFn78vCNQ9n7tTotKvjtlKJptegq7Vvpahj8qGNXEvAyaSyTKot8JX_VtbY7HQ-TaHSg2Kt0QKiF4IO-esTwxN-PAySQlAXeE4bWUM_rafHRuJ03E7UawgYlVADjLgvtbwqJAWztDyK1vTPnEkf4xT1bVT_XC6q12R5-Uuo4E-IyutZWuqoldHcDdMluqUXNKicBVX5LMkalOqB0DHgVTlQJoIaX2Rsuzd-DCGHy2tPgOkmaqCrbji1FZhIoczpD3JTJZ-MOI-wkg6qBsQ-49HOd7GpIrSzRsWt5Umy3nr9CQEsn4FWFJJW2M88oThGczbijZAE047yUCwYoFsMuxH_4KCcOZXqXPuXN_lJFR75q8GYqowb1TasTxdy2qtmtpm6AF3WgUJlQEI59jzsc2cocCwc2Psccs11mJJOCDtf8awnunue0PY0mp68KuhEWI5eyEqONuBQQLCEnhaq9RNooaRysmIKHVeuL-C2kiyFS21RQfPuAiwQFmvw0Xwaw5Fk1jCDNq57UXJbJxCdW6R8gwStnrhnkY7lO793mYrl-ern8xabmxcaiBezAltPNdXhZmkfMtYM_VPRZn3kvMKnPNvG46sZVaS6mrUDAYGsyyhyo5Eqqr"
http://localhost:5000/v2/_catalog
HTTP/1.1 401 Unauthorized
Content-Type: application/json; charset=utf-8
Docker-Distribution-Api-Version: registry/2.0
Www-Authenticate: Bearer
realm="http://localhost:3000/v2/token",service="localhost:5000",scope="registry:catalog:*",error="invalid_token"
Date: Mon, 21 Sep 2015 20:27:31 GMT
Content-Length: 161

{"errors":[{"code":"UNAUTHORIZED","message":"access to the requested
resource is not
authorized","detail":[{"Type":"registry","Name":"catalog","Action":"*"}]}]}

More information about the Containers mailing list