Nexus 3.6 - possible to allow pushing docker images anonymously?

2,277 views
Skip to first unread message

Danny Kulchinsky

unread,
Oct 30, 2017, 9:14:52 AM10/30/17
to Nexus Users
Hello,

Is there any option to allow `docker push` to a hosted docker repo to work anonymously?


Regards,
Danny

Peter Lynch

unread,
Nov 2, 2017, 1:40:54 PM11/2/17
to Danny Kulchinsky, Nexus Users
On Mon, Oct 30, 2017 at 10:14 AM, Danny Kulchinsky <dann...@gmail.com> wrote:
Hello,

Is there any option to allow `docker push` to a hosted docker repo to work anonymously?


No. All requests we have received so far for anonymous docker access has been for anonymous pulls - and we have implemented that already.


What is your use case for allowing anonymous pushes? In general allowing anonymous pushes for any repository format seems like a bad practice at best, but we would entertain hearing your idea.



Regards,
Danny

--
You received this message because you are subscribed to the Google Groups "Nexus Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to nexus-users+unsubscribe@glists.sonatype.com.
To post to this group, send email to nexus...@glists.sonatype.com.
To view this discussion on the web visit https://groups.google.com/a/glists.sonatype.com/d/msgid/nexus-users/29d22f85-5ec4-4097-9a7a-ab80c85dd3a2%40glists.sonatype.com.
For more options, visit https://groups.google.com/a/glists.sonatype.com/d/optout.

Joseph Stephens

unread,
Nov 2, 2017, 6:45:36 PM11/2/17
to Peter Lynch, Danny Kulchinsky, Nexus Users
Hi Danny,

I was able to able to get this working for my repository "docker-hosted" by doing the following:
  1. Create a new role (I've called this docker-write).
  2. Add the nx-repository-view-docker-{repo name}-edit privilege (e.g. nx-repository-view-docker-docker-hosted-edit).
  3. Add the nx-repository-view-docker-{repo name}-add privilege (e.g. nx-repository-view-docker-docker-hosted-add).
  4. Add the new role to the anonymous user.
The above steps assume that you have already enabled anonymous pull access.

Thanks,

Joe

To view this discussion on the web visit https://groups.google.com/a/glists.sonatype.com/d/msgid/nexus-users/CAC16qPgcxdi4j9Lr-JHf8htdfDg%2Bypf%3DFUiYM3e_prFTQqHkXw%40mail.gmail.com.



--
Joseph Stephens

Michael Worthington

unread,
Nov 2, 2017, 7:15:41 PM11/2/17
to Joseph Stephens, Peter Lynch, Danny Kulchinsky, Nexus Users
Still the question remains, why is this needed? Allowing anyone, without any identification, to upload anything, seems like a very bad idea.




Danny Kulchinsky

unread,
Nov 3, 2017, 11:03:05 AM11/3/17
to Michael Worthington, Joseph Stephens, Peter Lynch, Nexus Users
Thanks to all for providing the answer and details!

The reason for asking this, like always, due to historical reasons :)

Before migrating our Docker registry to Nexus, we used Docker's private registry sofwate, that allows anonymous push and as you may have guessed, is what we had, as a pre-req befire migrating to Nexus we've done quite a bit of overhaul around or procedures and CI code to make sure authenitcation is used, but we keep hitting various corner cases where it was not fixed or it's somewhat complicated to fix...

I realize this is not the best practice approach, but we were looking to get our teams unstuck as this was holding back releases...

@Joe - Thanks for the workaround :)


So, here is our story... I realize that this approach is not ideal/best practices, but in real world - such situations as above is common and I think flexibility in our tools is very important to be able to support the demand for high-velocity in development processes today, so giving the option doesn't necessarily means you have to endorse it, it may come with a warning - but still be there to solve an immediate problem and get the ball rolling again, especially as Joe has explained - it is possible!

Just my 2 cents ;)

Thanks for listening (i.e. reading)


Regards,
Danny


Michael Worthington

unread,
Nov 3, 2017, 11:18:20 AM11/3/17
to Danny Kulchinsky, Joseph Stephens, Peter Lynch, Nexus Users
Definitely agree Danny. When leading organizational change, there is always some level of tech-debt to assess.

However, given the places I've worked at in the past, anything to do with authentication and authorization always make me take a second look at what's going on.

p.s. Thanks for asking the question and providing the conversation! I learn something new every time I interact with one of our users.

Navid Ghahremani

unread,
Jul 3, 2020, 9:16:10 AM7/3/20
to Nexus Users, dann...@gmail.com, jste...@sonatype.com, ply...@sonatype.com
Hi, it can be another reason too, for instance, in my company, we wanted to have a local registry for each developer who works with local k8s, so no need to authenticate for pushing your images to the local repo.



Regards,
Danny
To unsubscribe from this group and stop receiving emails from it, send an email to nexus...@glists.sonatype.com.

--
You received this message because you are subscribed to the Google Groups "Nexus Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to nexus...@glists.sonatype.com.

To post to this group, send email to nexus...@glists.sonatype.com.



--
Joseph Stephens

--
You received this message because you are subscribed to the Google Groups "Nexus Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to nexus...@glists.sonatype.com.

To post to this group, send email to nexus...@glists.sonatype.com.
Reply all
Reply to author
Forward
0 new messages