Harbor: 认证报错，docker login登陆报401

Created on 23 Aug 2016 · 6Comments · Source: goharbor/harbor

您好：
遇见一个问题，一直未解决，需要您的帮助！

启动harbor后，登陆正常，但是push会报错，如下：
docker push docker.xxx.com/demo/xxx 报错 "unauthorized: authentication required"
docker ui 的日志报错如下：
[INFO] login request with invalid credentials

通过修改nginx后，一直报错，然后将所有配置还原后，通过docker-compose重新启动容器，报错如下：
web登陆正常；
在docker配置文件中添加”--insecure-registry hub.xxx.com“，重启docker；
docker login hub.xxx.com无法登陆，报错如下：
http://hub.xxxx.com/service/token?account=yan&service=token-service request failed with status: 401 Unauthorized]
docker ui 的日志报错同上；

请开发者同学帮忙看下问题，谢谢了

Source

ysz520020

Most helpful comment

harbor: v1.1.2
We use Jenkins build docker images and push images , and execute docker login URL each publish. But sometime docker push IMAGE return 401 -- authentication or deny , It's a big problem for CI .
The reason for that is some client use wrong username and password login harbor -- some mistake, harbor refused and locked the account 1.5s each time.

StayTherapy on 31 Oct 2018

🎉2

All 6 comments

碰到同样的问题，这问题解决了吗？

pineking on 13 Oct 2016

可能是docker login时，请求token时出现问题，建议检查registry/config.yaml中，token的链接是否正确配置。
auth:
token:
issuer: registry-token-issuer
realm: https://YOUR_DOMAIN/service/token
rootcertbundle: /etc/registry/root.crt
service: token-service

niuchp on 20 Dec 2016

👍2

registry      | time="2017-03-16T11:37:37.680312897Z" level=debug msg="authorizing request" go.version=go1.6.3 http.request.host=reg.example.cn http.request.id=9888f427-33ef-4d6b-8fe2-5b3edb19f9bd http.request.method=GET http.request.remoteaddr=7.93.55.60 http.request.uri="/v2/" http.request.useragent="docker/1.13.1 go/go1.7.3 git-commit/092cba3 kernel/4.10.1-coreos os/linux arch/amd64 UpstreamClient(Docker-Client/1.13.1 \\(linux\\))" instance.id=76c7203d-32d2-4d22-92d4-2c20dfcb47a2 service=registry version=v2.5.0 
registry      | time="2017-03-16T11:37:37.680395836Z" level=warning msg="error authorizing context: authorization token required" go.version=go1.6.3 http.request.host=reg.example.cn http.request.id=9888f427-33ef-4d6b-8fe2-5b3edb19f9bd http.request.method=GET http.request.remoteaddr=7.93.55.60 http.request.uri="/v2/" http.request.useragent="docker/1.13.1 go/go1.7.3 git-commit/092cba3 kernel/4.10.1-coreos os/linux arch/amd64 UpstreamClient(Docker-Client/1.13.1 \\(linux\\))" instance.id=76c7203d-32d2-4d22-92d4-2c20dfcb47a2 service=registry version=v2.5.0 
registry      | 10.11.3.140 - - [16/Mar/2017:11:37:37 +0000] "GET /v2/ HTTP/1.1" 401 87 "" "docker/1.13.1 go/go1.7.3 git-commit/092cba3 kernel/4.10.1-coreos os/linux arch/amd64 UpstreamClient(Docker-Client/1.13.1 \\(linux\\))"
harbor-ui     | 2017-03-16T11:37:37Z [DEBUG] [authutils.go:49]: scopes: []
harbor-ui     | 2017-03-16T11:37:37Z [INFO] request url: /service/token?account=tad&client_id=docker&offline_token=true&service=token-service
harbor-ui     | 2017-03-16T11:37:37Z [WARNING] Failed to get secret cookie, error: http: named cookie not present
harbor-ui     | 2017-03-16T11:37:37Z [DEBUG] [token.go:53]: uid for logging: 
harbor-ui     | 2017-03-16T11:37:37Z [DEBUG] [authenticator.go:57]: Current AUTH_MODE is db_auth
harbor-ui     | 2017-03-16T11:37:37Z [DEBUG] [authenticator.go:69]: Login failed, locking , and sleep for 1.5s
harbor-ui     | 2017-03-16T11:37:39Z [WARNING] login request with invalid credentials in token service, uid: 
registry      | time="2017-03-16T11:37:52.408192621Z" level=debug msg="authorizing request" go.version=go1.6.3 http.request.host=reg.example.cn http.request.id=aff5542a-4ff9-4f12-a099-968173a94b18 http.request.method=GET http.request.remoteaddr=7.93.55.60 http.request.uri="/v2/" http.request.useragent="docker/1.13.1 go/go1.7.3 git-commit/092cba3 kernel/4.10.1-coreos os/linux arch/amd64 UpstreamClient(Docker-Client/1.13.1 \\(linux\\))" instance.id=76c7203d-32d2-4d22-92d4-2c20dfcb47a2 service=registry version=v2.5.0 
registry      | time="2017-03-16T11:37:52.408281116Z" level=warning msg="error authorizing context: authorization token required" go.version=go1.6.3 http.request.host=reg.example.cn http.request.id=aff5542a-4ff9-4f12-a099-968173a94b18 http.request.method=GET http.request.remoteaddr=7.93.55.60 http.request.uri="/v2/" http.request.useragent="docker/1.13.1 go/go1.7.3 git-commit/092cba3 kernel/4.10.1-coreos os/linux arch/amd64 UpstreamClient(Docker-Client/1.13.1 \\(linux\\))" instance.id=76c7203d-32d2-4d22-92d4-2c20dfcb47a2 service=registry version=v2.5.0 
registry      | 10.11.3.140 - - [16/Mar/2017:11:37:52 +0000] "GET /v2/ HTTP/1.1" 401 87 "" "docker/1.13.1 go/go1.7.3 git-commit/092cba3 kernel/4.10.1-coreos os/linux arch/amd64 UpstreamClient(Docker-Client/1.13.1 \\(linux\\))"
harbor-ui     | 2017-03-16T11:37:52Z [DEBUG] [authutils.go:49]: scopes: []
harbor-ui     | 2017-03-16T11:37:52Z [INFO] request url: /service/token?account=tad&client_id=docker&offline_token=true&service=token-service
harbor-ui     | 2017-03-16T11:37:52Z [WARNING] Failed to get secret cookie, error: http: named cookie not present
harbor-ui     | 2017-03-16T11:37:52Z [DEBUG] [token.go:53]: uid for logging: 
harbor-ui     | 2017-03-16T11:37:52Z [DEBUG] [authenticator.go:57]: Current AUTH_MODE is db_auth
harbor-ui     | 2017-03-16T11:37:52Z [DEBUG] [authenticator.go:69]: Login failed, locking , and sleep for 1.5s
harbor-ui     | 2017-03-16T11:37:53Z [WARNING] login request with invalid credentials in token service, uid:

I have the same issue. But I fixed it by updating registry/config.yaml's realm like what @niuchp said.

Wish it helps

wptad on 16 Mar 2017

Thank you @niuchp. Your answer helped me too.

I've setup additional proxy to make ssl termination and configured harbor with just plain "http".
After that I've fixed "EXT_ENDPOINT" variable within 'jobservice' and 'ui' services. But could not login to my registry throught "docker login" with logs similar to @wptad logs.

I've set realm value to: " realm: https://YOUR_DOMAIN/service/token" to use 'https' protocol and "docker login" works now as expected.