Azure Container Registry token works for push but not pull #2784
Comments
|
Hi @maxwolffe, Thanks for the detailed info and analysis. It really helped us rule out certain possibilities and narrow down the scope. It took us some time to analyze and consider all the possibilities and do some experiments.
This has not been a problem. As you can see below, as long as you provide a working username and password pair, ACR accepts basic auth anyway: The log above was when using "access keys."
However, I noticed that you were using "tokens" (in preview). (Thanks for the screenshot!) And I was able to reproduce this issue when using a token.
I think this failure is an oversight on the Azure side, unless it's intentional. I guess they can fix this to work, especially given that the same flow has been working for other forms of credentials and that tokens are in a preview state. Of course, from our side, we could change the current Jib auth flow for the base image so that it starts bearer auth when it's obviously requested. This is actually what we considered before (#2134). However, as mentioned in #2134 (comment), we were very cautious in making any changes to the current auth flow, which has been working for all sorts of registries in the wild without issues (until now). If Azure can't fix this or says this is really intentional, we'll definitely make it work on our side. But I'm thinking perhaps this is something Azure has missed accidentally and can fix easily. As a workaround, there are other ways to authenticate and provide different forms of credentials to Jib. For example, doing |
|
I confirm that modifying Jib to do bearer auth instead of always trying basic auth first resolves the issue. Mulling over this, I think it's a pretty safe change and optimization to start bearer auth when the server requested it early. |
|
Awesome, thanks for looking into it so quickly @chanseokoh.
So, I'm writing up an issue to report to Azure on https://github.com/Azure/acr - Is it a fair description of the issue to say that ACR is not accepting token credentials via basic auth? Or is there also something strange around the headers that are being returned back? (That it switches the requested authentication from Bearer to Basic?) In the mean time using the access token is an option for us (though I think long term it's not ideal because it have very coarse grained access), thanks for proposing alternatives. :) |
Seems fine. I cannot say they must accept it, but it seems reasonable to do so given that
This issue will be resolved if they either
Apart from the ACR behavior, now I do think it makes sense to change Jib's auth flow as well. |
|
The same issue appears with github Container Registry ghcr.io since jib Maven-Plugin 2.0.0 |
|
@carstenrathmann 2.0.0 is pretty old. Given the changes we made into 2.0.0, I think your issue is a different one. Could you post a detailed debug HTTP log as in #2784 (comment) following these FAQ instructions? |
|
@chanseokoh I also tried with 2.5.2 - same issue. Here is the logfile with jib 2.5.2: |
|
@carstenrathmann it's a different issue, and I'd say in some part the issue is on the GitHub Container Registry.
However, when a client sends some credentials (can be an arbitrary garbage string) as part of the request, it returns The good news is that, with the optimized auth flow proposed in #2789, I confirmed it resolves your issue, as #2789 won't get through this failing execution path. I see that |
|
I too get a 401 for pulling an image, but in my case from ECR. It seems I'm using what the FAQs call "multi-level repository name", not sure if that's related. (The FAQ only say it's a problem with Docker Hub) Here are the relevant logs - let me know if you want me to curl something with my credentials etc. |
|
@EugenDueck 2.6.0 is released with the better auth flow. Could you try it and report back to us? |
|
@EugenDueck and just in case, I believe ECR only supports the following forms as an image reference (when not considering tags or digests):
Ref: |
|
@maxwolffe @carstenrathmann could you try Azure and GitHub container registries with 2.6.0? |
|
@chanseokoh Thanks for pushing 2.6.0.
I think 2. is what I am using, plus a tag: Unfortunately, the error is unchanged with v2.6.0: Btw I have even tried to move username/password into the pom, to have the least possibility of a problem due to indirection via cred helpers, env vars etc. To wit: <from>
<image>123456789.dkr.ecr.ap-northeast-1.amazonaws.com/abc/def:base</image>
<auth>
<username>dontask</username>
<password>wonttell</password>
</auth>
</from> |
@chanseokoh - Thanks for making the change! Just validated that jib 2.6.0 is working for my use-case with ACR tokens, my original bug report is resolved. |
@chanseokoh 2.6.0 also works with GitHub Container registry. Thank you! |
|
@EugenDueck I've opened #2812. Please follow up there. @maxwolffe @carstenrathmann thanks for confirming! |
Firstly, thanks for the amazing tool!
Environment:
Description of the issue:
In short: Jib is able to authenticate to the Azure Container Registry for pushing, but not for pulling, despite using the same token credentials which have both push and pull rights. Perhaps related to ignoring provided "WWW-Authenticate: Bearer... " header in the pull authentication flow.
In long:
I'm running an AzureDevOps Pipelines build agent which is pulling a custom base image from Azure Container Registry, building an image, and pushing to the same registry. I'm supplying credentials to jib using the
<to/from><auth>command lines, like so:When I do so, I encounter the following error:
The to/from username and password are the same and are using a token which is configured to have both push and pull rights to all of my repositories (_repositories_admin has this property):
I've confirmed that logging into docker directly using these credentials on the same build agent allows me to pull the base image, so the credentials should have pull access.
I enabled debugging per the FAQ instructions and took a look at the logs, included in the logging section below. What stood out to me (I'm no expert on authn/authz), was that the push target image authentication appears to succeed while the pull base image authentication fails.
For the push image authn:
.../azurecr.io/v2-> get a 401 back with "WWW-Auth: Bearer with link"For the pull image authn:
.../azurecr.io/v2-> get a 401 back with "WWW-Authenticate: Basic"[ERROR] The registry asked for basic authentication, but the registry had refused basic authentication previouslyWhat stood out to me here is that for the pull image flow, we appear to be ignoring the original bearer link and then Azure starts suggesting basic auth instead of bearer link thereafter.
Expected behavior:
Jib uses the supplied credentials to pull from the container registry, build the image, and push to the same registry.
jib-maven-pluginConfiguration:Log output:
I've find-replaced what appear to be tokens in this log output, this is generated using the following logging.properties file:
Using the command:
I've only included the authentication logging below, happy to pull further logs.
debug log (click to expand)
Additional Information:
I've read the FAQ and tried using a credHelper, the credentials are found, but encounter the same issue.
Happy to provide more information to help debug this, apologies in advance if this is simply user error 😬
The text was updated successfully, but these errors were encountered: