我在使用docker注册表(发布)设置令牌身份验证时遇到问题。
openssl ecparam -genkey -name prime256v1 -noout -out auth.key
生成密钥(因此可以重现):
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIGCvEkodk5s6cKFvOwybUxRWp1XOw4a6r/AVWnQwr+DDoAoGCCqGSM49
AwEHoUQDQgAE3qYoQnX4Bd3dIRGcYZQhyg9W1n5x/i51FdpcdFxFDaO1gEgNwnru
P1hYG5ditEusCMKwYA0iChYHQetOyEAV7A==
-----END EC PRIVATE KEY-----
然后我生成证书:
openssl req -new -x509 -subj "/CN=localhost" -key auth.key -out auth.cert -days 360
公钥:
openssl ec -in auth.key -pubout -outform DER -out auth.pub.der
和"孩子"字段,为described in documentation
cat auth.pub.der | sha256sum | cut -c -30 | xargs echo -n | base32
=>HA3GCZRUMRSWCZTGGJRDINBYGU4DQNJTGE4WIYRSMVQWEODG
然后我从docker-compose开始一个docker注册表:
version: '2'
services:
registry:
image: registry:2
container_name: jwt-registry
ports:
- 5000:5000
environment:
REGISTRY_LOG_LEVEL: debug
REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY: /var/lib/registry
REGISTRY_AUTH: token
REGISTRY_AUTH_TOKEN_REALM: http://localhost:8080/jwt/token
REGISTRY_AUTH_TOKEN_SERVICE: "localhost"
REGISTRY_AUTH_TOKEN_ISSUER: "localhost"
REGISTRY_AUTH_TOKEN_ROOTCERTBUNDLE: /certs/auth.cert
volumes:
- ./registry:/var/lib/registry
- ./certs:/certs
然后我尝试使用docker login命令登录:
docker login -u "email@example.com" -p test http://127.0.0.1:5000
从auth服务器返回响应:
HTTP/1.1 200 OK
Server: ""
Content-Type: text/plain
Date: Sun, 24 Jul 2016 19:59:38 GMT
Content-Length: 493
{"token":"eyJraWQiOiJIQTNHOkNaUlU6TVJTVzpDWlRHOkdKUkQ6SU5CWTpHVTREOlFOSlQ6R0U0VzpJWVJTOk1WUVc6RU9ERyIsInR5cCI6IkpXVCIsImFsZyI6IkVTMjU2In0.eyJpc3MiOiJsb2NhbGhvc3QiLCJzdWIiOiJkb2NrZXIiLCJhdWQiOiJsb2NhbGhvc3QiLCJleHAiOjE0NjkzOTM5NTIsImlhdCI6MTQ2OTM5MDM1MiwianRpIjoidnRqdjRwMzFkYjZncXBiMm05Y3NwczhjcXEiLCJhY2Nlc3MiOlt7InR5cGUiOiJyZXBvc2l0b3J5IiwibmFtZSI6InRlc3QvdGVzdCIsImFjdGlvbnMiOlsicHVsbCIsInB1c2giXX1dfQ.a3b6alE8M9L2rvfJtgOMx5GpJy7vUrHz1gaUU3lGl7bzt4scuVODyoes-f02lst-CasPupL84-ltSw6QzHN1yA"}
里面有这个标题:
{"kid":"HA3G:CZRU:MRSW:CZTG:GJRD:INBY:GU4D:QNJT:GE4W:IYRS:MVQW:EODG","typ":"JWT","alg":"ES256"}
并且内部有效负载:
{"iss":"localhost","sub":"docker","aud":"localhost","exp":1469393952,"iat":1469390352,"jti":"vtjv4p31db6gqpb2m9csps8cqq","access":[{"type":"repository","name":"test/test","actions":["pull","push"]}]}
我用nimbus-jose-jwt库唱歌:
JWSObject jwsObject = new JWSObject(header, payload);
jwsObject.sign(new ECDSASigner(privateKey));
String compactJWS = jwsObject.serialize();
从存储库中获取" 401 Unauthorized"和docker注册表日志中的此错误
token signed by untrusted key with ID: \"HA3G:CZRU:MRSW:CZTG:GJRD:INBY:GU4D:QNJT:GE4W:IYRS:MVQW:EODG\"
完整日志:
time="2016-07-24T19:45:29.406060112Z" level=debug msg="authorizing request" go.version=go1.6.2 http.request.host="127.0.0.1:5000" http.request.id=482bdbac-395e-447e-aa47-28e2a4226879 http.request.method=GET http.request.remoteaddr="172.18.0.1:58344" http.request.uri="/v2/" http.request.useragent="docker/1.11.2 go/go1.5.4 git-commit/b9f10c9 kernel/4.4.0-31-generic os/linux arch/amd64 UpstreamClient(Docker-Client/1.11.2 \\(linux\\))" instance.id=1b060844-3264-45f2-83fb-83c91c3cb5c1 service=registry version=v2.4.1
time="2016-07-24T19:45:29.406234284Z" level=warning msg="error authorizing context: authorization token required" go.version=go1.6.2 http.request.host="127.0.0.1:5000" http.request.id=482bdbac-395e-447e-aa47-28e2a4226879 http.request.method=GET http.request.remoteaddr="172.18.0.1:58344" http.request.uri="/v2/" http.request.useragent="docker/1.11.2 go/go1.5.4 git-commit/b9f10c9 kernel/4.4.0-31-generic os/linux arch/amd64 UpstreamClient(Docker-Client/1.11.2 \\(linux\\))" instance.id=1b060844-3264-45f2-83fb-83c91c3cb5c1 service=registry version=v2.4.1
172.18.0.1 - - [24/Jul/2016:19:45:29 +0000] "GET /v2/ HTTP/1.1" 401 87 "" "docker/1.11.2 go/go1.5.4 git-commit/b9f10c9 kernel/4.4.0-31-generic os/linux arch/amd64 UpstreamClient(Docker-Client/1.11.2 \\(linux\\))"
time="2016-07-24T19:45:31.257993258Z" level=debug msg="authorizing request" go.version=go1.6.2 http.request.host="127.0.0.1:5000" http.request.id=3fe3dfd0-47de-48ae-b443-15d1896dd902 http.request.method=GET http.request.remoteaddr="172.18.0.1:58352" http.request.uri="/v2/" http.request.useragent="docker/1.11.2 go/go1.5.4 git-commit/b9f10c9 kernel/4.4.0-31-generic os/linux arch/amd64 UpstreamClient(Docker-Client/1.11.2 \\(linux\\))" instance.id=1b060844-3264-45f2-83fb-83c91c3cb5c1 service=registry version=v2.4.1
time="2016-07-24T19:45:31.2582134Z" level=error msg="token signed by untrusted key with ID: \"HA3G:CZRU:MRSW:CZTG:GJRD:INBY:GU4D:QNJT:GE4W:IYRS:MVQW:EODG\""
time="2016-07-24T19:45:31.258328324Z" level=warning msg="error authorizing context: invalid token" go.version=go1.6.2 http.request.host="127.0.0.1:5000" http.request.id=3fe3dfd0-47de-48ae-b443-15d1896dd902 http.request.method=GET http.request.remoteaddr="172.18.0.1:58352" http.request.uri="/v2/" http.request.useragent="docker/1.11.2 go/go1.5.4 git-commit/b9f10c9 kernel/4.4.0-31-generic os/linux arch/amd64 UpstreamClient(Docker-Client/1.11.2 \\(linux\\))" instance.id=1b060844-3264-45f2-83fb-83c91c3cb5c1 service=registry version=v2.4.1
172.18.0.1 - - [24/Jul/2016:19:45:31 +0000] "GET /v2/ HTTP/1.1" 401 87 "" "docker/1.11.2 go/go1.5.4 git-commit/b9f10c9 kernel/4.4.0-31-generic os/linux arch/amd64 UpstreamClient(Docker-Client/1.11.2 \\(linux\\))"