How to Perform Anonymous Pulls, but Require Authentication for Pushing to a Docker Repository
2023-01-22 11:08
By default, the permissions for ananonymous userareRead & Deploy/Cachefor any remote repository andReadfor any repository type:
This configuration can be altered via the Artifactory UI orREST API. For example, as regards the former, to perform anonymous pulls, you’ll need to enableallow anonymous accessvia the UI underSecurity > Settings, as follows:
Thereafter, you will be able to pull images anonymously, as is demonstrated in the following example:
& docker pull
Then, you will see something similar in yourrequest.log:
29c707c617220f15|52.16.203.109|anonymous|GET|/api/docker/docker/v2/nginx/manifests/latest|200
43840d78ad848b81|52.16.203.109|anonymous|GET|/api/docker/docker/v2/nginx/manifests/sha256:0efad4d09a419dc6d574c3c3baacb804a530acd61d5eba72cb1f14e1f5ac0c8f|200
For versionsprior to Artifactory 4.7.0, an anonymous pull with an authenticated push can be accomplished by using avirtual Docker repositorytogether with alocal Docker repository. The latter should be configured withForce Authentication, as follows:
The former should be created with theForce Authenticationbox unchecked and include thelocal repository.
While this will allowanonymous pullsfrom thevirtual repository, pushes will not be allowed at all.Pushingcan only be accomplished by pushing to thelocal repository, which does require authentication. Accordingly, although pulls and pushes will go to different places, this will not consume any additional space on either the Artifactory server or the clients that are pulling and pushing.
Here’s a push example:
docker login docker-artifactory:8443
docker push docker-artifactory:8443/nginx
Here’s a pull example:
docker pull docker-artifactory:8444/nginx
