JFrog Artifactory在其Docker注册表中使用哪个令牌终结点? [英] What token endpoint does JFrog Artifactory use for its Docker registries?
问题描述
我正在尝试编写实质上可以对发布到私有JFrog Artifactory上的图像执行docker inspect的代码,而不必实际拉出图像本身.我一直在使用名为
I'm trying to write code that can essentially do a docker inspect on images published to a private JFrog Artifactory, without having to actually pull the images themselves. I've been using a guide called Inspecting Docker images without pull for a breakdown of the API calls. The guide uses the public Docker Hub registry as its base - not Artifactory - which is a little different.
基本上,需要进行3个API调用:
Basically, there are 3 API calls that need to be made:
- 首先获得令牌
- 然后获取给定图像/标签的摘要"
- 最后获取与该摘要对应的配置
我已将Artifactory配置为允许匿名读取访问.因此,知道URL的任何人都可以执行docker pull而不需要提供凭据,并且它可以工作.我已经证实了这一点.
I have Artifactory configured to allow anonymous read access. So anyone who knows the URL can do a docker pull without needing to provide credentials, and it works. I have verified this.
因为它允许匿名访问,所以我首先假设也许可以跳过API调用#1(获取令牌),而直接进行API调用#2(查找摘要),而无需提供令牌.然而,这种情况并非如此.在这种情况下,Artifactory返回一个未经授权的错误.
Because it allows anonymous access, I first assumed that perhaps I could skip API call #1 (getting a token) and proceed directly to API call #2 (looking up the digest) without providing a token. However this is not the case. Artifactory returns an UNAUTHORIZED error in that case.
接下来我想,好吧,我将击中令牌终结点.但是,我将其改为auth.docker.io而不是Artifactory服务器的子域,然后将其发布到/token端点.那没用.然后我发掘了这部分官方ContainerD代码实际上有一个专门针对内置JFrog Artifactory的条件案例.
Next I thought, okay, fine, I'll just hit the token endpoint. But instead of auth.docker.io I'll change it to the subdomain of my Artifactory server, and POST to the /token endpoint there. That didn't work. Then I unearthed this portion of the official ContainerD code which actually has a conditional case specifically tailored to JFrog Artifactory built in.
当您尝试POST到/token终结点时,Artifactory似乎返回401(未授权),而且Docker客户端意识到了这一点,因此转而尝试GET请求.但是,这对我来说有点模糊.我不是Golang程序员,所以我在理解Docker CLI Go代码中发生的事情时遇到了一些困难.
It looks like Artifactory returns a 401 (Unauthorized) when you try to POST to the /token endpoint, and that moreover the Docker client is aware of this so falls back to trying a GET request. But here's where it gets a little fuzzy for me. I'm not a Golang programmer so I'm having some difficulty understanding what's going on in the Docker CLI Go code here.
我认为这只是将POST更改为GET,但使用相同的URL(即/v2/token).但是,这不起作用.当我尝试到达该端点时,仍会收到未经授权的回复.再往下看, ContainerD代码,看起来可能是使用用户名和密码设置了基本身份验证.但是我不确定这些值是什么,因为这是通过匿名访问完成的.显然,由于成功运行docker pull,因此它在我的Artifactory服务器上达到了 some 令牌终结点.我只是想知道后备API调用的真正外观是什么?以及需要将哪些参数/标题/身份验证传递给它?
I assumed it was simply changing the POST to a GET, but otherwise using the same URL (i.e. /v2/token). However, this doesn't work. When I try to hit that endpoint I still get an UNAUTHORIZED response. Looking further down that ContainerD code, it looks like it might be setting basic auth using a username and a secret. But I'm not sure what those values would be, since this is being done with anonymous access. Clearly it's hitting some token endpoint on my Artifactory server, since running docker pull is successful. I'm just wondering what the fallback API call really looks like? And what parameters/headers/auth need to be passed into it?
推荐答案
Artifactory允许您通过其Web界面手动创建API密钥(单击进入用户个人资料),然后可以使用该密钥代替密码子序列API调用.密钥可以持续到刷新为止.
Artifactory allows you to create an API key manually through their web interface (click into your user profile), and then you can use this key in place of password for subsequence API calls. The key can last till you refresh it.
对于程序化令牌管理,Artifactory的令牌api与docker.io的终结点不同,请参见
For programmatic token management, Artifactory's token api does not have the same endpoint as docker.io, see their documentation here.
这篇关于JFrog Artifactory在其Docker注册表中使用哪个令牌终结点?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
