Google Git
Sign in
apache/casbin-docker_auth/HEAD/./examples/reference.yml
blob: fa8bdc811ecb2dff6803f24baee3611dabff61b8 [file] [log] [blame]
# This config lists all the possible config options.
#
# To configure Docker Registry to talk to this server, put the following in the registry config file:
#
# auth:
# token:
# realm: "https://127.0.0.1:5001/auth"
# service: "Docker registry"
# issuer: "Acme auth server"
# autoredirect: false
# rootcertbundle: "/path/to/server.pem"
server: # Server settings.
# Address to listen on.
addr: ":5001"
# URL path prefix to use.
path_prefix: ""
# TLS options.
#
# Use specific certificate and key.
certificate: "/path/to/server.pem"
key: "/path/to/server.key"
#
# The following optional settings will fine tune TLS configuration to improve security.
# Leaving them unset should be just fine for most installations.
#
# Enable HTTP Strict Transport Security.
# hsts: true
#
# Set minimum TLS version.
# Values can be found at https://golang.org/pkg/crypto/tls/#pkg-constants
# Either the version name (i.e. TLS11) or its uint16 value can be specified.
# tls_min_version: TLS12
#
# List of TLS curve preferences.
# Values can be found at https://golang.org/pkg/crypto/tls/#CurveID
# Either CurveID names (i.e. P384) or uint16 values can be specified.
# tls_curve_preferences:
# - P521
# - 24
# - P256
#
# List of enabled TLS cipher suites.
# Values can be found at https://golang.org/pkg/crypto/tls/#pkg-constants
# Either CipherSuite names (i.e. TLS_RSA_WITH_RC4_128_SHA) or uint16 values can be specified.
# tls_cipher_suites:
# - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
# - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
# - 0xc014
# - 0xc00a
# Use LetsEncrypt (https://letsencrypt.org/) to automatically obtain and maintain a certificate.
# Note that this only applies to server TLS certificate, this certificate will not be used for tokens
letsencrypt:
# Email is required. It will be used to register with LetsEncrypt.
email: webmaster@example.org
# Cache directory, where certificates issued by LE will be stored. Must exist.
# It is recommended to make it a volume mount so it persists across restarts.
cache_dir: /data/sslcache
# Normally LetsEncrypt will obtain a certificate for whichever host the client is connecting to.
# With this option, you can limit it to a specific host name.
# host: "docker.example.org"
# If neither certificate+key or letsencrypt are configured, the listener does not use TLS.
# Take client's address from the specified HTTP header instead of connection.
# May be useful if the server is behind a proxy or load balancer.
# If configured, this header must be present, requests without it will be rejected.
# real_ip_header: "X-Forwarded-For"
# Optional position of client ip in X-Forwarded-For, negative starts from
# end of addresses.
# real_ip_pos: -2
token: # Settings for the tokens.
issuer: "Acme auth server" # Must match issuer in the Registry config.
expiration: 900
# Token must be signed by a certificate that registry trusts, i.e. by a certificate to which a trust chain
# can be constructed from one of the certificates in registry's auth.token.rootcertbundle.
# If not specified, server's TLS certificate and key are used.
# certificate: "..."
# key: "..."
# Authentication methods. All are tried, any one returning success is sufficient.
# At least one must be configured. If you want an unauthenticated public setup,
# configure static user map with anonymous access.
# Static user map.
users:
# Password is specified as a BCrypt hash. Use `htpasswd -nB USERNAME` to generate.
"admin":
password: "$2y$05$LO.vzwpWC5LZGqThvEfznu8qhb5SGqvBSWY1J3yZ4AxtMRZ3kN5jC" # badmin
"test":
password: "$2y$05$WuwBasGDAgr.QCbGIjKJaep4dhxeai9gNZdmBnQXqpKly57oNutya" # 123
"": {} # Allow anonymous (no "docker login") access.
# Google authentication.
# ==! NB: DO NOT ENTER YOUR GOOGLE PASSWORD AT "docker login". IT WILL NOT WORK.
# Instead, Auth server maintains a database of Google authentication tokens.
# Go to the server's port as HTTPS with your browser and follow the "Login with Google account" link.
# Once signed in, you will get a throw-away password which you can use for Docker login.
google_auth:
domain: "example.com" # Optional. If set, only logins from this domain are accepted.
# client_id and client_secret for API access. Required.
# Follow instructions here: https://developers.google.com/identity/sign-in/web/devconsole-project
# NB: Make sure JavaScript origins are configured correctly, and that third-party
# cookies are not blocked in the browser being used to login.
client_id: "1223123456-somethingsomething.apps.googleusercontent.com"
# Either client_secret or client_secret_file is required. Use client_secret_file if you don't
# want to have sensitive information checked in.
# client_secret: "verysecret"
client_secret_file: "/path/to/client_secret.txt"
# Where to store server tokens. Required.
token_db: "/somewhere/to/put/google_tokens.ldb"
# How long to wait when talking to Google servers. Optional.
http_timeout: 10
# GitHub authentication.
# ==! NB: DO NOT ENTER YOUR GITHUB PASSWORD AT "docker login". IT WILL NOT WORK.
# Instead, Auth server maintains a database of GitHub authentication tokens.
# Go to the server's port as HTTPS with your browser and follow the "Login with GitHub account" link.
# Once signed in, you will get a throw-away password which you can use for Docker login.
github_auth:
organization: "acme" # Optional. If set, only logins from this organization are accepted.
# client_id and client_secret for API access. Required.
# You can register a new application here: https://github.com/settings/developers
# NB: Make sure JavaScript origins are configured correctly, and that third-party
# cookies are not blocked in the browser being used to login.
client_id: "1223123456"
# Either client_secret or client_secret_file is required. Use client_secret_file if you don't
# want to have sensitive information checked in.
# client_secret: "verysecret"
client_secret_file: "/path/to/client_secret.txt"
# Either token_db file for storing of server tokens.
token_db: "/somewhere/to/put/github_tokens.ldb"
# or google cloud storage for storing of the sensitive information,
gcs_token_db:
bucket: "tokenBucket"
client_secret_file: "/path/to/client_secret.json"
# or Redis,
redis_token_db:
redis_options:
# with a single instance,
addr: localhost:6379
redis_cluster_options:
# or in the cluster mode.
addrs: ["localhost:7000"]
# How long to wait when talking to GitHub servers. Optional.
http_timeout: "10s"
# How long to wait before revalidating the GitHub token. Optional.
revalidate_after: "1h"
# The Github Web URI in case you are using Github Enterprise.
# Includes the protocol, without trailing slash. Optional - defaults to: https://github.com
github_web_uri: "https://github.acme.com"
# The Github API URI in case you are using Github Enterprise.
# Includes the protocol, without trailing slash. - defaults to: https://api.github.com
github_api_uri: "https://github.acme.com/api/v3"
# Set an URL to display in the `docker login` command when succesfully authenticated. Optional.
registry_url: localhost:5000
# LDAP authentication.
# Authentication is performed by first binding to the server, looking up the user entry
# by using the specified filter, and then re-binding using the matched DN and the password provided.
ldap_auth:
# Addr is the hostname:port or ip:port
addr: ldap.example.com:636
# Setup tls connection method to be
# "" or "none": the communication won't be encrypted
# "always": setup LDAP over SSL/TLS
# "starttls": sets StartTLS as the encryption method
tls: always
# set to true to allow insecure tls
insecure_tls_skip_verify: false
# set this to specify the ca certificate path
ca_certificate:
# In case bind DN and password is required for querying user information,
# specify them here. Plain text password is read from the file.
bind_dn:
bind_password_file:
# User query settings. ${account} is expanded from auth request
base: o=example.com
filter: (&(uid=${account})(objectClass=person))
# Labels can be mapped from LDAP attributes
labels:
# Add the user's title to a label called title
title:
attribute: title
# Add the user's memberOf values to a label called groups
groups:
attribute: memberOf
# Special handling to simplify the values to just the common name
parse_cn: true
mongo_auth:
# Essentially all options are described here: https://godoc.org/gopkg.in/mgo.v2#DialInfo
dial_info:
# The MongoDB hostnames or IPs to connect to.
addrs: ["localhost"]
# The time to wait for a server to respond when first connecting and on
# follow up operations in the session. If timeout is zero, the call may
# block forever waiting for a connection to be established.
# (See https://golang.org/pkg/time/#ParseDuration for a format description.)
timeout: "10s"
# Database name that will be used on the MongoDB server.
database: "docker_auth"
# The username with which to connect to the MongoDB server.
username: ""
# Path to the text file with the password in it.
password_file: ""
# Enable TLS connection to MongoDB (only enable this if your server supports it)
enable_tls: false
# Name of the collection in which ACLs will be stored in MongoDB.
collection: "users"
# Unlike acl_mongo we don't cache the full user set. We just query mongo for
# an exact match for each authorization
xorm_auth:
# the database type you'd like to connect to
database_type: "mysql"
# the connection string to connect to the database
conn_string: "username:password@/database_name?charset=utf8"
# External authentication - call an external progam to authenticate user.
# Username and password are passed to command's stdin and exit code is examined.
# 0 - allow, 1 - deny, 2 - no match, other - error.
# In case of success, if any output is returned, it is parsed as a JSON object.
# The "labels" key may contain labels to be passed down to authz, where they can
# be used in matching. See ext_auth.sh for an example.
ext_auth:
command: "/usr/local/bin/my_auth" # Can be a relative path too; $PATH works.
args: ["--flag", "--more", "--flags"]
# User written authentication plugin - call a user written program to authenticate user.
# Username of type string and password of authn.PasswordString is passed to the plugin
# Expects a boolean value whether the user is authenticate or not, authn.Labels, error
# The "labels" key may contain labels to be passed down to authz, where they can
# be used in matching.
plugin_authn:
plugin_path: ""
# Authorization methods. All are tried, any one returning success is sufficient.
# At least one must be configured.
# ACL specifies who can do what. If the match section of an entry matches the
# request, the set of allowed actions will be applied to the token request
# and a ticket will be issued only for those of the requested actions that are
# allowed by the rule.
# * It is possible to match on user's name ("account"), subject type ("type")
# and name ("name"; for type=repository this is the image name).
# * Matches are evaluated as shell file name patterns ("globs") by default,
# so "foobar", "f??bar", "f*bar" are all valid. For even more flexibility
# match patterns can be evaluated as regexes by enclosing them in //, e.g.
# "/(foo|bar)/".
# * IP match can be single IP address or a subnet in the "prefix/mask" notation.
# * ACL is evaluated in the order it is defined until a match is found.
# Rules below the first match are not evaluated, so you'll need to put more
# specific rules above more broad ones.
# * Empty match clause matches anything, it only makes sense at the end of the
# list and can be used as a way of specifying default permissions.
# * Empty actions set means "deny everything". Thus, a rule with `actions: []`
# is in effect a "deny" rule.
# * A special set consisting of a single "*" action means "allow everything".
# * If no match is found the default is to deny the request.
#
# You can use the following variables from the ticket request in any field:
# * ${account} - the account name, currently the same as authenticated user's name.
# * ${service} - the service name, specified by auth.token.service in the registry config.
# * ${type} - the type of the entity, normally "repository".
# * ${name} - the name of the repository (i.e. image), e.g. centos.
# * ${labels:<LABEL>} - tests all values in the list of lables:<LABEL> for the user. Refer to the labels doc for details
acl:
- match: {ip: "127.0.0.0/8"}
actions: ["*"]
comment: "Allow everything from localhost (IPv4)"
- match: {ip: "::1"}
actions: ["*"]
comment: "Allow everything from localhost (IPv6)"
- match: {ip: "172.17.0.1"}
actions: ["*"]
comment: "Allow everything from the local Docker bridge address"
- match: {account: "admin"}
actions: ["*"]
comment: "Admin has full access to everything."
- match: {account: "test", name: "test-*"}
actions: ["*"]
comment: "User \"test\" has full access to test-* images but nothing else. (1)"
- match: {account: "test"}
actions: []
comment: "User \"test\" has full access to test-* images but nothing else. (2)"
- match: {account: "/.+/", name: "${account}/*"}
actions: ["*"]
comment: "Logged in users have full access to images that are in their 'namespace'"
- match: {account: "/.+/", type: "registry", name: "catalog"}
actions: ["*"]
comment: "Logged in users can query the catalog."
- match: {account: "/.+/"}
actions: ["pull"]
comment: "Logged in users can pull all images."
- match: {account: "", name: "hello-world"}
actions: ["pull"]
comment: "Anonymous users can pull \"hello-world\"."
- match: {account: "/^(.+)@test.com$/", name: "${account:1}/*"}
actions: []
comment: "Emit domain part of account to make it a correct repo name"
- match: {labels: {"group": "VIP"}}
actions: ["push"]
comment: "Users assigned to group 'VIP' is able to push"
- match: {labels: {"group": "/trainee|dev/"}}
actions: ["push", "pull"]
comment: "Users assigned to group 'trainee' and 'dev' is able to push and pull"
- match: {name: "${labels:group}-shared/*"}
actions: ["push", "pull"]
comment: "Users can push to the shared namespace of any group they are in"
- match: {name: "${labels:project}/*"}
actions: ["push", "pull"]
comment: "Users can push to any project they are assigned to"
- match: {name: "${labels:project}-{labels:tier}/*"}
actions: ["push", "pull"]
comment: "Users can push to a project-tier/* that they are assigned to"
- match: {labels: {"title": "Developer"}}
actions: ["*"]
comment: "If you call yourself a developer you can do anything (this ACL is an example for LDAP labels as defined above)"
- match: {labels: {"groups": "Admin"}}
actions: ["push"]
comment: "If you are part of the admin group you can push. (this ACL is an example for LDAP labels as defined above)"
# Access is denied by default.
# (optional) Define to query ACL from a MongoDB server.
acl_mongo:
# Essentially all options are described here: https://godoc.org/gopkg.in/mgo.v2#DialInfo
dial_info:
# The MongoDB hostnames or IPs to connect to.
addrs: ["localhost"]
# The time to wait for a server to respond when first connecting and on
# follow up operations in the session. If timeout is zero, the call may
# block forever waiting for a connection to be established.
# (See https://golang.org/pkg/time/#ParseDuration for a format description.)
timeout: "10s"
# Database name that will be used on the MongoDB server.
database: "docker_auth"
# The username with which to connect to the MongoDB server.
username: ""
# Path to the text file with the password in it.
password_file: ""
# Enable TLS connection to MongoDB (only enable this if your server supports it)
enable_tls: false
# Name of the collection in which ACLs will be stored in MongoDB.
collection: "acl"
# Specify how long an ACL remains valid before they will be fetched again from
# the MongoDB server.
# (See https://golang.org/pkg/time/#ParseDuration for a format description.)
cache_ttl: "1m"
# (optional) Define to query ACL from a XORM.io database connection.
acl_xorm:
# the database type you'd like to connect to
database_type: "mysql"
conn_string: "username:password@/database_name?charset=utf8"
cache_ttl: "1m"
# (optioinal) Use casbin to verify permission
casbin_authz:
model_path: "path/to/model"
policy_path: "path/to/csv"
# External authorization - call an external progam to authorize user.
# JSON of authz.AuthRequestInfo is passed to command's stdin and exit code is examined.
# 0 - allow, 1 - deny, other - error.
ext_authz:
command: "/usr/local/bin/my_authz" # Can be a relative path too; $PATH works.
args: ["--flag", "--more", "--flags"]
# User written authorization plugin - call a user written program to authorize user.
# *authz.AuthRequestInfo is passed to the plugin and expects an authorized set of actions or an error.
# return the set of authorized actions is the user is authorized. Otherwise return nil
plugin_authz:
plugin_path: ""