This repository has been archived by the owner on Jan 18, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 1
/
reference.yml
190 lines (180 loc) · 8.61 KB
/
reference.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
# This config lists all the possible config options.
#
# To configure Docker Registry to talk to this server, put the following in the registry config file:
#
# auth:
# token:
# realm: "https://127.0.0.1:5001/auth"
# service: "Docker registry"
# issuer: "Acme auth server"
# rootcertbundle: "/path/to/server.pem"
server: # Server settings.
# Address to listen on.
addr: ":5001"
# TLS certificate and key.
certificate: "/path/to/server.pem"
key: "/path/to/server.key"
# Take client's address from the specified HTTP header instead of connection.
# May be useful if the server is behind a proxy or load balancer.
# If configured, this header must be present, requests without it will be rejected.
# real_ip_header: "X-Forwarded-For"
token: # Settings for the tokens.
issuer: "Acme auth server" # Must match issuer in the Registry config.
expiration: 900
# It is possible configure a different certificate for tokens.
# If not specified, server certificate is used.
# certificate: "..."
# key: "..."
# Authentication methods. All are tried, any one returning success is sufficient.
# At least one must be configured. If you want an unauthenticated public setup,
# configure static user map with anonymous access.
# Static user map.
users:
# Password is specified as a BCrypt hash. Use htpasswd -B to generate.
"admin":
password: "$2y$05$LO.vzwpWC5LZGqThvEfznu8qhb5SGqvBSWY1J3yZ4AxtMRZ3kN5jC" # badmin
"test":
password: "$2y$05$WuwBasGDAgr.QCbGIjKJaep4dhxeai9gNZdmBnQXqpKly57oNutya" # 123
"": {} # Allow anonymous (no "docker login") access.
# Google authentication.
# ==! NB: DO NOT ENTER YOUR GOOGLE PASSWORD AT "docker login". IT WILL NOT WORK.
# Instead, Auth server maintains a database of Google authentication tokens.
# Go to the server's port with you browser and follow the "Login with Google account" link.
# Once signed in, you will get a throw-away password which you can use for Docker login.
google_auth:
domain: "example.com" # Optional. If set, only logins fromt his domain are accepted.
# client_id and client_secret for API access. Required.
# Follow instructions here: https://developers.google.com/identity/sign-in/web/devconsole-project
# NB: Make sure JavaScript origins are configured correcly.
client_id: "1223123456-somethingsomething.apps.googleusercontent.com"
# Either client_secret or client_secret_file is required. Use client_secret_file if you don't
# want to have sensitive information checked in.
# client_secret: "verysecret"
client_secret_file: "/path/to/client_secret.txt"
# Where to store server tokens. Required.
token_db: "/somewhere/to/put/google_tokens.ldb"
# How long to wait when talking to Google servers. Optional.
http_timeout: 10
# LDAP authentication.
# Authentication is performed by first binding to the server, looking up the user entry
# by using the specified filter, and then re-binding using the matched DN and the password provided.
ldap_auth:
# Addr is the hostname:port or ip:port
addr: ldap.example.com:636
# Setup tls connection method to be
# "" or "none": the communication won't be encrypted
# "always": setup LDAP over SSL/TLS
# "starttls": sets StartTLS as the encryption method
tls: always
# set to true to allow insecure tls
insecure_tls_skip_verify: false
# In case bind DN and password is required for querying user information,
# specify them here. Plain text password is read from the file.
bind_dn:
bind_password_file:
# User query settings. ${account} is expanded from auth request
base: o=example.com
filter: (&(uid=${account})(objectClass=person))
mongo_auth:
# Essentially all options are described here: https://godoc.org/gopkg.in/mgo.v2#DialInfo
dial_info:
# The MongoDB hostnames or IPs to connect to.
addrs: ["localhost"]
# The time to wait for a server to respond when first connecting and on
# follow up operations in the session. If timeout is zero, the call may
# block forever waiting for a connection to be established.
# (See https://golang.org/pkg/time/#ParseDuration for a format description.)
timeout: "10s"
# Database name that will be used on the MongoDB server.
database: "docker_auth"
# The username with which to connect to the MongoDB server.
username: ""
# Path to the text file with the password in it.
password_file: ""
# Name of the collection in which ACLs will be stored in MongoDB.
collection: "users"
# Unlike acl_mongo we don't cache the full user set. We just query mongo for
# an exact match for each authorization
# Authorization methods. All are tried, any one returning success is sufficient.
# At least one must be configured.
# ACL specifies who can do what. If the match section of an entry matches the
# request, the set of allowed actions will be applied to the token request
# and a ticket will be issued only for those of the requested actions that are
# allowed by the rule.
# * It is possible to match on user's name ("account"), subject type ("type")
# and name ("name"; for type=repository this is the image name).
# * Matches are evaluated as shell file name patterns ("globs") by default,
# so "foobar", "f??bar", "f*bar" are all valid. For even more flexibility
# match patterns can be evaluated as regexes by enclosing them in //, e.g.
# "/(foo|bar)/".
# * IP match can be single IP address or a subnet in the "prefix/mask" notation.
# * ACL is evaluated in the order it is defined until a match is found.
# Rules below the first match are not evaluated, so you'll need to put more
# specific rules above more broad ones.
# * Empty match clause matches anything, it only makes sense at the end of the
# list and can be used as a way of specifying default permissions.
# * Empty actions set means "deny everything". Thus, a rule with `actions: []`
# is in effect a "deny" rule.
# * A special set consisting of a single "*" action means "allow everything".
# * If no match is found the default is to deny the request.
#
# You can use the following variables from the ticket request in any field:
# * ${account} - the account name, currently the same as authenticated user's name.
# * ${service} - the service name, specified by auth.token.service in the registry config.
# * ${type} - the type of the entity, normally "repository".
# * ${name} - the name of the repository (i.e. image), e.g. centos.
acl:
- match: {ip: "127.0.0.0/8"}
actions: ["*"]
comment: "Allow everything from localhost (IPv4)"
- match: {ip: "::1"}
actions: ["*"]
comment: "Allow everything from localhost (IPv6)"
- match: {ip: "172.17.0.1"}
actions: ["*"]
comment: "Allow everything from the local Docker bridge address"
- match: {account: "admin"}
actions: ["*"]
comment: "Admin has full access to everything."
- match: {account: "test", name: "test-*"}
actions: ["*"]
comment: "User \"test\" has full access to test-* images but nothing else. (1)"
- match: {account: "test"}
actions: []
comment: "User \"test\" has full access to test-* images but nothing else. (2)"
- match: {account: "/.+/", name: "${account}/*"}
actions: ["*"]
comment: "Logged in users have full access to images that are in their 'namespace'"
- match: {account: "/.+/", type: "registry", name: "catalog"}
actions: ["*"]
comment: "Logged in users can query the catalog."
- match: {account: "/.+/"}
actions: ["pull"]
comment: "Logged in users can pull all images."
- match: {account: "", name: "hello-world"}
actions: ["pull"]
comment: "Anonymous users can pull \"hello-world\"."
# Access is denied by default.
# (optional) Define to query ACL from a MongoDB server.
acl_mongo:
# Essentially all options are described here: https://godoc.org/gopkg.in/mgo.v2#DialInfo
dial_info:
# The MongoDB hostnames or IPs to connect to.
addrs: ["localhost"]
# The time to wait for a server to respond when first connecting and on
# follow up operations in the session. If timeout is zero, the call may
# block forever waiting for a connection to be established.
# (See https://golang.org/pkg/time/#ParseDuration for a format description.)
timeout: "10s"
# Database name that will be used on the MongoDB server.
database: "docker_auth"
# The username with which to connect to the MongoDB server.
username: ""
# Path to the text file with the password in it.
password_file: ""
# Name of the collection in which ACLs will be stored in MongoDB.
collection: "acl"
# Specify how long an ACL remains valid before they will be fetched again from
# the MongoDB server.
# (See https://golang.org/pkg/time/#ParseDuration for a format description.)
cache_ttl: "1m"