Harbor: replication endpoint type docker-registry should support more authentication mechanism.

Created on 3 Jul 2019 · 13Comments · Source: goharbor/harbor

1.We have build a docker private registry, such as https://xxxxxx:5000,
and docker login docker-registry.miotech.com:5000 successfully
2.However when we add new Registry Endpoint and select Provider as docker-registry
3.When Endpoint URL set as https://xxxxxx:5000 and input Access ID and Access Secret, it meet error: registry https://xxxxxx:5000 is unhealthy: unhealthy

We check the log of our private registry, it say:level=warning msg="error authorizing context: basic authentication challenge for realm "Registry Realm": invalid authorization credential"
5..When Endpoint URL set as xxxxxx:5000 and input Access ID and Access Secret, it also meet error: registry https://xxxxxx:5000 is unhealthy: unhealthy
And check the log of our private registry again, it say:http: TLS handshake error from tls: first record does not look like a TLS handshake

arereplication enhancement kinrequirement

Source

bonniechen1119

👍1

Most helpful comment

Reading the reading notes is very frustrating to be honest: https://github.com/goharbor/harbor/releases/tag/v1.10.0 .
It states: "Replication enhancements: Adds Gitlab, Quay.io and Jfrog Artifactory to the list of supported replication targets"
And we still can't have basic auth mechanisms which are probably used by tons and tons of users...

mumrau on 13 Dec 2019

👍8

All 13 comments

Harbor version is 1.8

bonniechen1119 on 3 Jul 2019

What is the auth provider for your docker registry? https://github.com/docker/distribution/blob/master/docs/configuration.md#auth

ywk253100 on 5 Jul 2019

What is the auth provider for your docker registry? https://github.com/docker/distribution/blob/master/docs/configuration.md#auth

We use htpasswd

bonniechen1119 on 8 Jul 2019

same issue with htpasswd auth mode set, seems currently harbor only support token auth mode when replication

willmao on 8 Aug 2019

same issue with htpasswd auth mode set, seems currently harbor only support token auth mode when replication

Yeah, it not support now. We will support others auth mode in the future.

kofj on 9 Aug 2019

What is the ETA of such mechanism, from my understanding it doesn't look that complex, and I believe it could be quite disturbing to new users that just want to pull their entire "old" registry which probably uses htpasswd mechanism (which was (is?) the de-facto docker registry self-hosted auth mechanism).

mumrau on 3 Oct 2019

👍3

Bump for getting this added ASAP. This is a huge roadblock as stated by mumrau.

joekohut on 15 Nov 2019

I am also facing similar kind of issue but there is one difference in my docker registry configuration.
I am using Nginx as a basic auth provider and htpasswd to generate the password for my Nginx configuration

If the Access ID and Access Secret field is empty the test passed, but if put the credentials it Failed the ping test

core log>

2019/12/12 16:25:04 [D] [server.go:2774] |   106.51.23.31| 400 |  34.576819ms|   match| POST     /api/registries/ping   r:/api/registries/ping
2019-12-12T16:25:05Z [DEBUG] [/core/filter/security.go:229]: OIDC CLI modifier only handles request by docker CLI or helm CLI
2019-12-12T16:25:05Z [DEBUG] [/core/filter/security.go:444]: can not get user information from session
2019-12-12T16:25:05Z [DEBUG] [/core/filter/security.go:499]: user information is nil
2019-12-12T16:25:05Z [DEBUG] [/core/filter/security.go:499]: user information is nil
2019-12-12T16:25:05Z [DEBUG] [/core/filter/security.go:513]: using local database project manager
2019-12-12T16:25:05Z [DEBUG] [/core/filter/security.go:515]: creating local database security context...

inyee786 on 12 Dec 2019

mumrau on 13 Dec 2019

👍8

I do concur that supporting for BA would allow our org to shadow our older registries using Harbor until such time we can decommission them. We could be all-in on Harbor with this enhancement. Worthy of consideration as supporting BA would probably grow the Harbor user base significantly.

joekohut on 13 Dec 2019

👍3

Does pull request 10612 and version 1.10.1 of Harbor fix this problem (basic authentication of docker regsitry) ?

fredgate on 1 Apr 2020

It doesn't seem. I still have this error with Harbor 1.10.1 :

Apr  1 10:08:18 192.168.99.99 core[2411]: 2020/04/01 10:08:18.786 #033[1;44m[D]#033[0m [server.go:2774]  |      127.0.0.1|#033[97;42m 200 #033[0m|    653.955µs|   match|#033[97;44m GET     #033[0m /api/ping   r:/api/ping
Apr  1 10:08:20 192.168.99.99 core[2411]: 2020-04-01T10:08:20Z [WARNING] [/common/utils/registry/auth/tokenauthorizer.go:266]: Schemas [{basic map[realm:Registry Realm]}] are unsupported
Apr  1 10:08:20 192.168.99.99 core[2411]: 2020-04-01T10:08:20Z [WARNING] [/common/utils/registry/auth/tokenauthorizer.go:315]: empty realm, skip
Apr  1 10:08:20 192.168.99.99 core[2411]: 2020-04-01T10:08:20Z [ERROR] [/replication/adapter/native/adapter.go:154]: failed to ping registry https://my-registry:5000: http error: code 401, message 
Apr  1 10:08:20 192.168.99.99 core[2411]: 2020-04-01T10:08:20Z [ERROR] [/common/api/base.go:73]: POST /api/registries/ping failed with error: {"code":400,"message":""}
Apr  1 10:08:20 192.168.99.99 core[2411]: 2020/04/01 10:08:20.265 #033[1;44m[D]#033[0m [server.go:2774]  |     10.99.99.99|#033[97;43m 400 #033[0m|  53.557933ms|   match|#033[97;46m POST    #033[0m /api/registries/ping   r:/api/registries/ping

fredgate on 1 Apr 2020

👍3 😕1

Maybe it's an idea to at least document this on this page?
https://goharbor.io/docs/2.1.0/administration/configuring-replication/create-replication-endpoints/

And also the error could be a lot clearer. From the logs I can google the error and get to this issue, but it would be nice if the interface would show an error like "Basic authentication for docker registry not supported, only token authentication is supported at this time.".