mirror of
				https://gitlab.alpinelinux.org/alpine/aports.git
				synced 2025-10-26 05:51:40 +01:00 
			
		
		
		
	
		
			
				
	
	
		
			906 lines
		
	
	
		
			43 KiB
		
	
	
	
		
			Diff
		
	
	
	
	
	
			
		
		
	
	
			906 lines
		
	
	
		
			43 KiB
		
	
	
	
		
			Diff
		
	
	
	
	
	
| diff --git a/examples/reference.yml b/examples/reference.yml
 | |
| index ce741d0..4adec43 100644
 | |
| --- a/examples/reference.yml
 | |
| +++ b/examples/reference.yml
 | |
| @@ -10,452 +10,452 @@
 | |
|  #      autoredirect: false
 | |
|  #      rootcertbundle: "/path/to/server.pem"
 | |
|  
 | |
| -server:  # Server settings.
 | |
| -  # Address to listen on.
 | |
| -  # Can be HOST:PORT for TCP or file path (e.g. /run/docker_auth.sock) for Unix socket.
 | |
| -  addr: ":5001"
 | |
| -
 | |
| -  # Network, can be "tcp" or "unix" ("tcp" if unspecified).
 | |
| -  net: "tcp"
 | |
| -
 | |
| -  # URL path prefix to use.
 | |
| -  path_prefix: ""
 | |
| -
 | |
| -  # TLS options.
 | |
| -  #
 | |
| -  # Use specific certificate and key.
 | |
| -  certificate: "/path/to/server.pem"
 | |
| -  key: "/path/to/server.key"
 | |
| -  #
 | |
| -  # The following optional settings will fine tune TLS configuration to improve security.
 | |
| -  # Leaving them unset should be just fine for most installations.
 | |
| -  #
 | |
| -  # Enable HTTP Strict Transport Security.
 | |
| -  # hsts: true
 | |
| -  #
 | |
| -  # Set minimum TLS version.
 | |
| -  # Values can be found at https://golang.org/pkg/crypto/tls/#pkg-constants
 | |
| -  # Either the version name (i.e. TLS11) or its uint16 value can be specified.
 | |
| -  # tls_min_version: TLS12
 | |
| -  #
 | |
| -  # List of TLS curve preferences.
 | |
| -  # Values can be found at https://golang.org/pkg/crypto/tls/#CurveID
 | |
| -  # Either CurveID names (i.e. P384) or uint16 values can be specified.
 | |
| -  # tls_curve_preferences:
 | |
| -  #   - P521
 | |
| -  #   - 24
 | |
| -  #   - P256
 | |
| -  #
 | |
| -  # List of enabled TLS cipher suites.
 | |
| -  # Values can be found at https://golang.org/pkg/crypto/tls/#pkg-constants
 | |
| -  # Either CipherSuite names (i.e. TLS_RSA_WITH_RC4_128_SHA) or uint16 values can be specified.
 | |
| -  # tls_cipher_suites:
 | |
| -  #   - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
 | |
| -  #   - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
 | |
| -  #   - 0xc014
 | |
| -  #   - 0xc00a
 | |
| -
 | |
| -  # Use LetsEncrypt (https://letsencrypt.org/) to automatically obtain and maintain a certificate.
 | |
| -  # Note that this only applies to server TLS certificate, this certificate will not be used for tokens
 | |
| -  letsencrypt:
 | |
| -    # Email is required. It will be used to register with LetsEncrypt.
 | |
| -    email: webmaster@example.org
 | |
| -    # Cache directory, where certificates issued by LE will be stored. Must exist.
 | |
| -    # It is recommended to make it a volume mount so it persists across restarts.
 | |
| -    cache_dir: /data/sslcache
 | |
| -    # Normally LetsEncrypt will obtain a certificate for whichever host the client is connecting to.
 | |
| -    # With this option, you can limit it to a specific host name.
 | |
| -    # host: "docker.example.org"
 | |
| -  # If neither certificate+key or letsencrypt are configured, the listener does not use TLS.
 | |
| -
 | |
| -  # Take client's address from the specified HTTP header instead of connection.
 | |
| -  # May be useful if the server is behind a proxy or load balancer.
 | |
| -  # If configured, this header must be present, requests without it will be rejected.
 | |
| -  # real_ip_header: "X-Forwarded-For"
 | |
| -  # Optional position of client ip in X-Forwarded-For, negative starts from
 | |
| -  # end of addresses.
 | |
| -  # real_ip_pos: -2
 | |
| -
 | |
| -token:  # Settings for the tokens.
 | |
| -  issuer: "Acme auth server"  # Must match issuer in the Registry config.
 | |
| -  expiration: 900
 | |
| -  # Token must be signed by a certificate that registry trusts, i.e. by a certificate to which a trust chain
 | |
| -  # can be constructed from one of the certificates in registry's auth.token.rootcertbundle.
 | |
| -  # If not specified, server's TLS certificate and key are used.
 | |
| -  # certificate: "..."
 | |
| -  # key: "..."
 | |
| -
 | |
| -# Authentication methods. All are tried, any one returning success is sufficient.
 | |
| -# At least one must be configured. If you want an unauthenticated public setup,
 | |
| -# configure static user map with anonymous access.
 | |
| -
 | |
| -# Static user map.
 | |
| -users:
 | |
| -  # Password is specified as a BCrypt hash. Use `htpasswd -nB USERNAME` to generate.
 | |
| -  "admin":
 | |
| -    password: "$2y$05$LO.vzwpWC5LZGqThvEfznu8qhb5SGqvBSWY1J3yZ4AxtMRZ3kN5jC"  # badmin
 | |
| -  "test":
 | |
| -    password: "$2y$05$WuwBasGDAgr.QCbGIjKJaep4dhxeai9gNZdmBnQXqpKly57oNutya"  # 123
 | |
| -  "": {}  # Allow anonymous (no "docker login") access.
 | |
| -
 | |
| -# Google authentication.
 | |
| -# ==! NB: DO NOT ENTER YOUR GOOGLE PASSWORD AT "docker login". IT WILL NOT WORK.
 | |
| -# Instead, Auth server maintains a database of Google authentication tokens.
 | |
| -# Go to the server's port as HTTPS with your browser and follow the "Login with Google account" link.
 | |
| -# Once signed in, you will get a throw-away password which you can use for Docker login.
 | |
| -google_auth:
 | |
| -  domain: "example.com"  # Optional. If set, only logins from this domain are accepted.
 | |
| -  # client_id and client_secret for API access. Required.
 | |
| -  # Follow instructions here: https://developers.google.com/identity/sign-in/web/devconsole-project
 | |
| -  # NB: Make sure JavaScript origins are configured correctly, and that third-party
 | |
| -  # cookies are not blocked in the browser being used to login.
 | |
| -  client_id: "1223123456-somethingsomething.apps.googleusercontent.com"
 | |
| -  # Either client_secret or client_secret_file is required. Use client_secret_file if you don't
 | |
| -  # want to have sensitive information checked in.
 | |
| -  # client_secret: "verysecret"
 | |
| -  client_secret_file: "/path/to/client_secret.txt"
 | |
| -  # Where to store server tokens. Required.
 | |
| -  token_db: "/somewhere/to/put/google_tokens.ldb"
 | |
| -  # How long to wait when talking to Google servers. Optional.
 | |
| -  http_timeout: 10
 | |
| -
 | |
| -# GitHub authentication.
 | |
| -# ==! NB: DO NOT ENTER YOUR GITHUB PASSWORD AT "docker login". IT WILL NOT WORK.
 | |
| -# Instead, Auth server maintains a database of GitHub authentication tokens.
 | |
| -# Go to the server's port as HTTPS with your browser and follow the "Login with GitHub account" link.
 | |
| -# Once signed in, you will get a throw-away password which you can use for Docker login.
 | |
| -github_auth:
 | |
| -  organization: "acme"   # Optional. If set, only logins from this organization are accepted.
 | |
| -  # client_id and client_secret for API access. Required.
 | |
| -  # You can register a new application here: https://github.com/settings/developers
 | |
| -  # NB: Make sure JavaScript origins are configured correctly, and that third-party
 | |
| -  # cookies are not blocked in the browser being used to login.
 | |
| -  client_id: "1223123456"
 | |
| -  # Either client_secret or client_secret_file is required. Use client_secret_file if you don't
 | |
| -  # want to have sensitive information checked in.
 | |
| -  # client_secret: "verysecret"
 | |
| -  client_secret_file: "/path/to/client_secret.txt"
 | |
| -  # Either token_db file for storing of server tokens.
 | |
| -  token_db: "/somewhere/to/put/github_tokens.ldb"
 | |
| -  # or google cloud storage for storing of the sensitive information,
 | |
| -  gcs_token_db:
 | |
| -    bucket: "tokenBucket"
 | |
| -    client_secret_file: "/path/to/client_secret.json"
 | |
| -  # or Redis,
 | |
| -  redis_token_db:
 | |
| -    redis_options:
 | |
| -        # with a single instance,
 | |
| -        addr: localhost:6379
 | |
| -    redis_cluster_options:
 | |
| -        # or in the cluster mode.
 | |
| -        addrs: ["localhost:7000"]
 | |
| -  # How long to wait when talking to GitHub servers. Optional.
 | |
| -  http_timeout: "10s"
 | |
| -  # How long to wait before revalidating the GitHub token. Optional.
 | |
| -  revalidate_after: "1h"
 | |
| -  # The Github Web URI in case you are using Github Enterprise.
 | |
| -  # Includes the protocol, without trailing slash. Optional - defaults to: https://github.com
 | |
| -  github_web_uri: "https://github.acme.com"
 | |
| -  # The Github API URI in case you are using Github Enterprise.
 | |
| -  # Includes the protocol, without trailing slash. - defaults to: https://api.github.com
 | |
| -  github_api_uri: "https://github.acme.com/api/v3"
 | |
| -  # Set an URL to display in the `docker login` command when succesfully authenticated. Optional.
 | |
| -  registry_url: localhost:5000
 | |
| -
 | |
| -# OpenID Connect authentication
 | |
| -# ==! NB: DO NOT ENTER YOUR OIDC PASSWORD AT "docker login". IT WILL NOT WORK.
 | |
| -# Instead, Auth server maintains a database of OIDC authentication tokens.
 | |
| -# Go to the server's port as HTTPS with your browser and follow the "Login with OIDC account" link.
 | |
| -# Once signed in, you will get a throw-away password which you can use for Docker login.
 | |
| -oidc_auth:
 | |
| -  # --- required ---
 | |
| -  # The issuer URL of your OIDC provider. It has to be extendable with /.well-known/openid-configuration to request all
 | |
| -  # OIDC endpoints for token and authorization requests
 | |
| -  issuer: "my_issuer_url"
 | |
| -  # The redirect URI which is registered for this client at your OIDC provider. It has to end with /oidc_auth.
 | |
| -  redirect_url: "my_redirect_uri/oidc_auth"
 | |
| -  # The client id and client secret of the client that is registered at your OIDC provider for docker_auth
 | |
| -  client_id: "be4ut1fu1-cl13n7-1d"
 | |
| -  client_secret: "be4ut1fu1-cl13n7-s3cr37"
 | |
| -  # you can also give the client_secret in a file. Either a client_secret or a client_secret_file has to be provided
 | |
| -  # client_secret_file: "/path/to/client_secret.txt"
 | |
| -  #
 | |
| -  # a file in which the tokens should be stored. Does not have to exist, it will be generated in this case
 | |
| -  token_db: "/path/to/tokens.ldb"
 | |
| -  # --- optional ---
 | |
| -  # How long to wait when talking to the OIDC provider.
 | |
| -  http_timeout: 10
 | |
| -  # the url of the registry where you want to login. Is used to present the full docker login command.
 | |
| -  registry_url: "url_of_my_beautiful_docker_registry"
 | |
| -  # The claim to use for the username.
 | |
| -  # Default: email
 | |
| -  user_claim: email
 | |
| -  # String array claims that will be used as labels.
 | |
| -  label_claims:
 | |
| -    - groups
 | |
| -  # Default: [openid, email]
 | |
| -  scopes:
 | |
| -    - openid
 | |
| -    - email
 | |
| -
 | |
| -
 | |
| -# Gitlab authentication.
 | |
| -# ==! NB: DO NOT ENTER YOUR Gitlab PASSWORD AT "docker login". IT WILL NOT WORK.
 | |
| -# Instead, Auth server maintains a database of Gitlab authentication tokens.
 | |
| -# Go to the server's port as HTTPS with your browser and follow the "Login with Gitlab account" link.
 | |
| -# Once signed in, you will get a throw-away password which you can use for Docker login.
 | |
| -gitlab_auth:
 | |
| -  client_id: "1223123456"
 | |
| -  # Either client_secret or client_secret_file is required. Use client_secret_file if you don't
 | |
| -  # want to have sensitive information checked in.
 | |
| -  # client_secret: "verysecret"
 | |
| -  client_secret_file: "/path/to/client_secret.txt"
 | |
| -  # Either token_db file for storing of server tokens.
 | |
| -  token_db: "/somewhere/to/put/gitlab_tokens.ldb"
 | |
| -  # or google cloud storage for storing of the sensitive information,
 | |
| -  gcs_token_db:
 | |
| -    bucket: "tokenBucket"
 | |
| -    client_secret_file: "/path/to/client_secret.json"
 | |
| -  # or Redis,
 | |
| -  redis_token_db:
 | |
| -    redis_options:
 | |
| -      # with a single instance,
 | |
| -      addr: localhost:6379
 | |
| -    redis_cluster_options:
 | |
| -      # or in the cluster mode.
 | |
| -      addrs: ["localhost:7000"]
 | |
| -  # How long to wait when talking to GitLab servers. Optional.
 | |
| -  http_timeout: "10s"
 | |
| -  # How long to wait before revalidating the Gitlab token. Optional.
 | |
| -  revalidate_after: "1h"
 | |
| -  # Includes the protocol, without trailing slash. Optional - defaults to: https://gitlab.com
 | |
| -  gitlab_web_uri: "https://gitlab.com"
 | |
| -  # Includes the protocol, without trailing slash. - defaults to: https://gitlab.com/api/v4
 | |
| -  gitlab_api_uri: "https://gitlab.com/api/v4"
 | |
| -  # Set an URL to display in the `docker login` command when successfully authenticated. Optional.
 | |
| -  registry_url: localhost:5000
 | |
| -  # grant_type is used for the authentication purpose. Required.
 | |
| -  grant_type: "authorization_code"
 | |
| -  # Redirect uri is used for the authentication purpose. Must end with '/gitlab_auth' prefix. Required.
 | |
| -  redirect_uri: "https://localhost:5001/gitlab_auth"
 | |
| -
 | |
| -# LDAP authentication.
 | |
| -# Authentication is performed by first binding to the server, looking up the user entry
 | |
| -# by using the specified filter, and then re-binding using the matched DN and the password provided.
 | |
| -ldap_auth:
 | |
| -  # Addr is the hostname:port or ip:port
 | |
| -  addr: ldap.example.com:636
 | |
| -  # Setup tls connection method to be
 | |
| -  # "" or "none": the communication won't be encrypted
 | |
| -  # "always": setup LDAP over SSL/TLS
 | |
| -  # "starttls": sets StartTLS as the encryption method
 | |
| -  tls: always
 | |
| -  # set to true to allow insecure tls
 | |
| -  insecure_tls_skip_verify: false
 | |
| -  # set this to specify the ca certificate path
 | |
| -  ca_certificate:
 | |
| -  # In case bind DN and password is required for querying user information,
 | |
| -  # specify them here. Plain text password is read from the file.
 | |
| -  bind_dn:
 | |
| -  bind_password_file:
 | |
| -  # User query settings. ${account} is expanded from auth request
 | |
| -  base: o=example.com
 | |
| -  filter: (&(uid=${account})(objectClass=person))
 | |
| -  # Labels can be mapped from LDAP attributes
 | |
| -  labels:
 | |
| -    # Add the user's title to a label called title
 | |
| -    title:
 | |
| -      attribute: title
 | |
| -    # Add the user's memberOf values to a label called groups
 | |
| -    groups:
 | |
| -      attribute: memberOf
 | |
| -      # Special handling to simplify the values to just the common name
 | |
| -      parse_cn: true
 | |
| -      # lower case the value
 | |
| -      lower_case: true
 | |
| -
 | |
| -mongo_auth:
 | |
| -  # Essentially all options are described here: https://godoc.org/gopkg.in/mgo.v2#DialInfo
 | |
| -  dial_info:
 | |
| -    # The MongoDB hostnames or IPs to connect to.
 | |
| -    addrs: ["localhost"]
 | |
| -    # The time to wait for a server to respond when first connecting and on
 | |
| -    # follow up operations in the session. If timeout is zero, the call may
 | |
| -    # block forever waiting for a connection to be established.
 | |
| -    # (See https://golang.org/pkg/time/#ParseDuration for a format description.)
 | |
| -    timeout: "10s"
 | |
| -    # Database name that will be used on the MongoDB server.
 | |
| -    database: "docker_auth"
 | |
| -    # The username with which to connect to the MongoDB server.
 | |
| -    username: ""
 | |
| -    # Path to the text file with the password in it.
 | |
| -    password_file: ""
 | |
| -    # Enable TLS connection to MongoDB (only enable this if your server supports it)
 | |
| -    enable_tls: false
 | |
| -  # Name of the collection in which ACLs will be stored in MongoDB.
 | |
| -  collection: "users"
 | |
| -  # Unlike acl_mongo we don't cache the full user set. We just query mongo for
 | |
| -  # an exact match for each authorization
 | |
| -
 | |
| -xorm_auth:
 | |
| -  # the database type you'd like to connect to
 | |
| -  database_type: "mysql"
 | |
| -  # the connection string to connect to the database
 | |
| -  conn_string: "username:password@/database_name?charset=utf8"
 | |
| -
 | |
| -# External authentication - call an external progam to authenticate user.
 | |
| -# Username and password are passed to command's stdin and exit code is examined.
 | |
| -# 0 - allow, 1 - deny, 2 - no match, other - error.
 | |
| -# In case of success, if any output is returned, it is parsed as a JSON object.
 | |
| -# The "labels" key may contain labels to be passed down to authz, where they can
 | |
| -# be used in matching. See ext_auth.sh for an example.
 | |
| -ext_auth:
 | |
| -  command: "/usr/local/bin/my_auth"  # Can be a relative path too; $PATH works.
 | |
| -  args: ["--flag", "--more", "--flags"]
 | |
| -
 | |
| -# User written authentication plugin - call a user written program to authenticate user.
 | |
| -# Username of type string and password of authn.PasswordString is passed to the plugin
 | |
| -# Expects a boolean value whether the user is authenticate or not, authn.Labels, error
 | |
| -# The "labels" key may contain labels to be passed down to authz, where they can
 | |
| -# be used in matching.
 | |
| -plugin_authn:
 | |
| -  plugin_path: ""
 | |
| -
 | |
| -# Authorization methods. All are tried, any one returning success is sufficient.
 | |
| -# At least one must be configured.
 | |
| -
 | |
| -# ACL specifies who can do what. If the match section of an entry matches the
 | |
| -# request, the set of allowed actions will be applied to the token request
 | |
| -# and a ticket will be issued only for those of the requested actions that are
 | |
| -# allowed by the rule.
 | |
| -#  * It is possible to match on user's name ("account"), subject type ("type")
 | |
| -#    and name ("name"; for type=repository this is the image name).
 | |
| -#  * Matches are evaluated as shell file name patterns ("globs") by default,
 | |
| -#    so "foobar", "f??bar", "f*bar" are all valid. For even more flexibility
 | |
| -#    match patterns can be evaluated as regexes by enclosing them in //, e.g.
 | |
| -#    "/(foo|bar)/".
 | |
| -#  * IP match can be single IP address or a subnet in the "prefix/mask" notation.
 | |
| -#  * ACL is evaluated in the order it is defined until a match is found.
 | |
| -#    Rules below the first match are not evaluated, so you'll need to put more
 | |
| -#    specific rules above more broad ones.
 | |
| -#  * Empty match clause matches anything, it only makes sense at the end of the
 | |
| -#    list and can be used as a way of specifying default permissions.
 | |
| -#  * Empty actions set means "deny everything". Thus, a rule with `actions: []`
 | |
| -#    is in effect a "deny" rule.
 | |
| -#  * A special set consisting of a single "*" action means "allow everything".
 | |
| -#  * If no match is found the default is to deny the request.
 | |
| +#server:  # Server settings.
 | |
| +#  # Address to listen on.
 | |
| +#  # Can be HOST:PORT for TCP or file path (e.g. /run/docker_auth.sock) for Unix socket.
 | |
| +#  addr: ":5001"
 | |
| +#
 | |
| +#  # Network, can be "tcp" or "unix" ("tcp" if unspecified).
 | |
| +#  net: "tcp"
 | |
| +#
 | |
| +#  # URL path prefix to use.
 | |
| +#  path_prefix: ""
 | |
| +#
 | |
| +#  # TLS options.
 | |
| +#  #
 | |
| +#  # Use specific certificate and key.
 | |
| +#  certificate: "/path/to/server.pem"
 | |
| +#  key: "/path/to/server.key"
 | |
| +#  #
 | |
| +#  # The following optional settings will fine tune TLS configuration to improve security.
 | |
| +#  # Leaving them unset should be just fine for most installations.
 | |
| +#  #
 | |
| +#  # Enable HTTP Strict Transport Security.
 | |
| +#  # hsts: true
 | |
| +#  #
 | |
| +#  # Set minimum TLS version.
 | |
| +#  # Values can be found at https://golang.org/pkg/crypto/tls/#pkg-constants
 | |
| +#  # Either the version name (i.e. TLS11) or its uint16 value can be specified.
 | |
| +#  # tls_min_version: TLS12
 | |
| +#  #
 | |
| +#  # List of TLS curve preferences.
 | |
| +#  # Values can be found at https://golang.org/pkg/crypto/tls/#CurveID
 | |
| +#  # Either CurveID names (i.e. P384) or uint16 values can be specified.
 | |
| +#  # tls_curve_preferences:
 | |
| +#  #   - P521
 | |
| +#  #   - 24
 | |
| +#  #   - P256
 | |
| +#  #
 | |
| +#  # List of enabled TLS cipher suites.
 | |
| +#  # Values can be found at https://golang.org/pkg/crypto/tls/#pkg-constants
 | |
| +#  # Either CipherSuite names (i.e. TLS_RSA_WITH_RC4_128_SHA) or uint16 values can be specified.
 | |
| +#  # tls_cipher_suites:
 | |
| +#  #   - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
 | |
| +#  #   - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
 | |
| +#  #   - 0xc014
 | |
| +#  #   - 0xc00a
 | |
| +#
 | |
| +#  # Use LetsEncrypt (https://letsencrypt.org/) to automatically obtain and maintain a certificate.
 | |
| +#  # Note that this only applies to server TLS certificate, this certificate will not be used for tokens
 | |
| +#  letsencrypt:
 | |
| +#    # Email is required. It will be used to register with LetsEncrypt.
 | |
| +#    email: webmaster@example.org
 | |
| +#    # Cache directory, where certificates issued by LE will be stored. Must exist.
 | |
| +#    # It is recommended to make it a volume mount so it persists across restarts.
 | |
| +#    cache_dir: /data/sslcache
 | |
| +#    # Normally LetsEncrypt will obtain a certificate for whichever host the client is connecting to.
 | |
| +#    # With this option, you can limit it to a specific host name.
 | |
| +#    # host: "docker.example.org"
 | |
| +#  # If neither certificate+key or letsencrypt are configured, the listener does not use TLS.
 | |
| +#
 | |
| +#  # Take client's address from the specified HTTP header instead of connection.
 | |
| +#  # May be useful if the server is behind a proxy or load balancer.
 | |
| +#  # If configured, this header must be present, requests without it will be rejected.
 | |
| +#  # real_ip_header: "X-Forwarded-For"
 | |
| +#  # Optional position of client ip in X-Forwarded-For, negative starts from
 | |
| +#  # end of addresses.
 | |
| +#  # real_ip_pos: -2
 | |
| +#
 | |
| +#token:  # Settings for the tokens.
 | |
| +#  issuer: "Acme auth server"  # Must match issuer in the Registry config.
 | |
| +#  expiration: 900
 | |
| +#  # Token must be signed by a certificate that registry trusts, i.e. by a certificate to which a trust chain
 | |
| +#  # can be constructed from one of the certificates in registry's auth.token.rootcertbundle.
 | |
| +#  # If not specified, server's TLS certificate and key are used.
 | |
| +#  # certificate: "..."
 | |
| +#  # key: "..."
 | |
| +#
 | |
| +## Authentication methods. All are tried, any one returning success is sufficient.
 | |
| +## At least one must be configured. If you want an unauthenticated public setup,
 | |
| +## configure static user map with anonymous access.
 | |
| +#
 | |
| +## Static user map.
 | |
| +#users:
 | |
| +#  # Password is specified as a BCrypt hash. Use `htpasswd -nB USERNAME` to generate.
 | |
| +#  "admin":
 | |
| +#    password: "$2y$05$LO.vzwpWC5LZGqThvEfznu8qhb5SGqvBSWY1J3yZ4AxtMRZ3kN5jC"  # badmin
 | |
| +#  "test":
 | |
| +#    password: "$2y$05$WuwBasGDAgr.QCbGIjKJaep4dhxeai9gNZdmBnQXqpKly57oNutya"  # 123
 | |
| +#  "": {}  # Allow anonymous (no "docker login") access.
 | |
| +#
 | |
| +## Google authentication.
 | |
| +## ==! NB: DO NOT ENTER YOUR GOOGLE PASSWORD AT "docker login". IT WILL NOT WORK.
 | |
| +## Instead, Auth server maintains a database of Google authentication tokens.
 | |
| +## Go to the server's port as HTTPS with your browser and follow the "Login with Google account" link.
 | |
| +## Once signed in, you will get a throw-away password which you can use for Docker login.
 | |
| +#google_auth:
 | |
| +#  domain: "example.com"  # Optional. If set, only logins from this domain are accepted.
 | |
| +#  # client_id and client_secret for API access. Required.
 | |
| +#  # Follow instructions here: https://developers.google.com/identity/sign-in/web/devconsole-project
 | |
| +#  # NB: Make sure JavaScript origins are configured correctly, and that third-party
 | |
| +#  # cookies are not blocked in the browser being used to login.
 | |
| +#  client_id: "1223123456-somethingsomething.apps.googleusercontent.com"
 | |
| +#  # Either client_secret or client_secret_file is required. Use client_secret_file if you don't
 | |
| +#  # want to have sensitive information checked in.
 | |
| +#  # client_secret: "verysecret"
 | |
| +#  client_secret_file: "/path/to/client_secret.txt"
 | |
| +#  # Where to store server tokens. Required.
 | |
| +#  token_db: "/somewhere/to/put/google_tokens.ldb"
 | |
| +#  # How long to wait when talking to Google servers. Optional.
 | |
| +#  http_timeout: 10
 | |
| +#
 | |
| +## GitHub authentication.
 | |
| +## ==! NB: DO NOT ENTER YOUR GITHUB PASSWORD AT "docker login". IT WILL NOT WORK.
 | |
| +## Instead, Auth server maintains a database of GitHub authentication tokens.
 | |
| +## Go to the server's port as HTTPS with your browser and follow the "Login with GitHub account" link.
 | |
| +## Once signed in, you will get a throw-away password which you can use for Docker login.
 | |
| +#github_auth:
 | |
| +#  organization: "acme"   # Optional. If set, only logins from this organization are accepted.
 | |
| +#  # client_id and client_secret for API access. Required.
 | |
| +#  # You can register a new application here: https://github.com/settings/developers
 | |
| +#  # NB: Make sure JavaScript origins are configured correctly, and that third-party
 | |
| +#  # cookies are not blocked in the browser being used to login.
 | |
| +#  client_id: "1223123456"
 | |
| +#  # Either client_secret or client_secret_file is required. Use client_secret_file if you don't
 | |
| +#  # want to have sensitive information checked in.
 | |
| +#  # client_secret: "verysecret"
 | |
| +#  client_secret_file: "/path/to/client_secret.txt"
 | |
| +#  # Either token_db file for storing of server tokens.
 | |
| +#  token_db: "/somewhere/to/put/github_tokens.ldb"
 | |
| +#  # or google cloud storage for storing of the sensitive information,
 | |
| +#  gcs_token_db:
 | |
| +#    bucket: "tokenBucket"
 | |
| +#    client_secret_file: "/path/to/client_secret.json"
 | |
| +#  # or Redis,
 | |
| +#  redis_token_db:
 | |
| +#    redis_options:
 | |
| +#        # with a single instance,
 | |
| +#        addr: localhost:6379
 | |
| +#    redis_cluster_options:
 | |
| +#        # or in the cluster mode.
 | |
| +#        addrs: ["localhost:7000"]
 | |
| +#  # How long to wait when talking to GitHub servers. Optional.
 | |
| +#  http_timeout: "10s"
 | |
| +#  # How long to wait before revalidating the GitHub token. Optional.
 | |
| +#  revalidate_after: "1h"
 | |
| +#  # The Github Web URI in case you are using Github Enterprise.
 | |
| +#  # Includes the protocol, without trailing slash. Optional - defaults to: https://github.com
 | |
| +#  github_web_uri: "https://github.acme.com"
 | |
| +#  # The Github API URI in case you are using Github Enterprise.
 | |
| +#  # Includes the protocol, without trailing slash. - defaults to: https://api.github.com
 | |
| +#  github_api_uri: "https://github.acme.com/api/v3"
 | |
| +#  # Set an URL to display in the `docker login` command when succesfully authenticated. Optional.
 | |
| +#  registry_url: localhost:5000
 | |
| +#
 | |
| +## OpenID Connect authentication
 | |
| +## ==! NB: DO NOT ENTER YOUR OIDC PASSWORD AT "docker login". IT WILL NOT WORK.
 | |
| +## Instead, Auth server maintains a database of OIDC authentication tokens.
 | |
| +## Go to the server's port as HTTPS with your browser and follow the "Login with OIDC account" link.
 | |
| +## Once signed in, you will get a throw-away password which you can use for Docker login.
 | |
| +#oidc_auth:
 | |
| +#  # --- required ---
 | |
| +#  # The issuer URL of your OIDC provider. It has to be extendable with /.well-known/openid-configuration to request all
 | |
| +#  # OIDC endpoints for token and authorization requests
 | |
| +#  issuer: "my_issuer_url"
 | |
| +#  # The redirect URI which is registered for this client at your OIDC provider. It has to end with /oidc_auth.
 | |
| +#  redirect_url: "my_redirect_uri/oidc_auth"
 | |
| +#  # The client id and client secret of the client that is registered at your OIDC provider for docker_auth
 | |
| +#  client_id: "be4ut1fu1-cl13n7-1d"
 | |
| +#  client_secret: "be4ut1fu1-cl13n7-s3cr37"
 | |
| +#  # you can also give the client_secret in a file. Either a client_secret or a client_secret_file has to be provided
 | |
| +#  # client_secret_file: "/path/to/client_secret.txt"
 | |
| +#  #
 | |
| +#  # a file in which the tokens should be stored. Does not have to exist, it will be generated in this case
 | |
| +#  token_db: "/path/to/tokens.ldb"
 | |
| +#  # --- optional ---
 | |
| +#  # How long to wait when talking to the OIDC provider.
 | |
| +#  http_timeout: 10
 | |
| +#  # the url of the registry where you want to login. Is used to present the full docker login command.
 | |
| +#  registry_url: "url_of_my_beautiful_docker_registry"
 | |
| +#  # The claim to use for the username.
 | |
| +#  # Default: email
 | |
| +#  user_claim: email
 | |
| +#  # String array claims that will be used as labels.
 | |
| +#  label_claims:
 | |
| +#    - groups
 | |
| +#  # Default: [openid, email]
 | |
| +#  scopes:
 | |
| +#    - openid
 | |
| +#    - email
 | |
| +#
 | |
| +#
 | |
| +## Gitlab authentication.
 | |
| +## ==! NB: DO NOT ENTER YOUR Gitlab PASSWORD AT "docker login". IT WILL NOT WORK.
 | |
| +## Instead, Auth server maintains a database of Gitlab authentication tokens.
 | |
| +## Go to the server's port as HTTPS with your browser and follow the "Login with Gitlab account" link.
 | |
| +## Once signed in, you will get a throw-away password which you can use for Docker login.
 | |
| +#gitlab_auth:
 | |
| +#  client_id: "1223123456"
 | |
| +#  # Either client_secret or client_secret_file is required. Use client_secret_file if you don't
 | |
| +#  # want to have sensitive information checked in.
 | |
| +#  # client_secret: "verysecret"
 | |
| +#  client_secret_file: "/path/to/client_secret.txt"
 | |
| +#  # Either token_db file for storing of server tokens.
 | |
| +#  token_db: "/somewhere/to/put/gitlab_tokens.ldb"
 | |
| +#  # or google cloud storage for storing of the sensitive information,
 | |
| +#  gcs_token_db:
 | |
| +#    bucket: "tokenBucket"
 | |
| +#    client_secret_file: "/path/to/client_secret.json"
 | |
| +#  # or Redis,
 | |
| +#  redis_token_db:
 | |
| +#    redis_options:
 | |
| +#      # with a single instance,
 | |
| +#      addr: localhost:6379
 | |
| +#    redis_cluster_options:
 | |
| +#      # or in the cluster mode.
 | |
| +#      addrs: ["localhost:7000"]
 | |
| +#  # How long to wait when talking to GitLab servers. Optional.
 | |
| +#  http_timeout: "10s"
 | |
| +#  # How long to wait before revalidating the Gitlab token. Optional.
 | |
| +#  revalidate_after: "1h"
 | |
| +#  # Includes the protocol, without trailing slash. Optional - defaults to: https://gitlab.com
 | |
| +#  gitlab_web_uri: "https://gitlab.com"
 | |
| +#  # Includes the protocol, without trailing slash. - defaults to: https://gitlab.com/api/v4
 | |
| +#  gitlab_api_uri: "https://gitlab.com/api/v4"
 | |
| +#  # Set an URL to display in the `docker login` command when successfully authenticated. Optional.
 | |
| +#  registry_url: localhost:5000
 | |
| +#  # grant_type is used for the authentication purpose. Required.
 | |
| +#  grant_type: "authorization_code"
 | |
| +#  # Redirect uri is used for the authentication purpose. Must end with '/gitlab_auth' prefix. Required.
 | |
| +#  redirect_uri: "https://localhost:5001/gitlab_auth"
 | |
| +#
 | |
| +## LDAP authentication.
 | |
| +## Authentication is performed by first binding to the server, looking up the user entry
 | |
| +## by using the specified filter, and then re-binding using the matched DN and the password provided.
 | |
| +#ldap_auth:
 | |
| +#  # Addr is the hostname:port or ip:port
 | |
| +#  addr: ldap.example.com:636
 | |
| +#  # Setup tls connection method to be
 | |
| +#  # "" or "none": the communication won't be encrypted
 | |
| +#  # "always": setup LDAP over SSL/TLS
 | |
| +#  # "starttls": sets StartTLS as the encryption method
 | |
| +#  tls: always
 | |
| +#  # set to true to allow insecure tls
 | |
| +#  insecure_tls_skip_verify: false
 | |
| +#  # set this to specify the ca certificate path
 | |
| +#  ca_certificate:
 | |
| +#  # In case bind DN and password is required for querying user information,
 | |
| +#  # specify them here. Plain text password is read from the file.
 | |
| +#  bind_dn:
 | |
| +#  bind_password_file:
 | |
| +#  # User query settings. ${account} is expanded from auth request
 | |
| +#  base: o=example.com
 | |
| +#  filter: (&(uid=${account})(objectClass=person))
 | |
| +#  # Labels can be mapped from LDAP attributes
 | |
| +#  labels:
 | |
| +#    # Add the user's title to a label called title
 | |
| +#    title:
 | |
| +#      attribute: title
 | |
| +#    # Add the user's memberOf values to a label called groups
 | |
| +#    groups:
 | |
| +#      attribute: memberOf
 | |
| +#      # Special handling to simplify the values to just the common name
 | |
| +#      parse_cn: true
 | |
| +#      # lower case the value
 | |
| +#      lower_case: true
 | |
| +#
 | |
| +#mongo_auth:
 | |
| +#  # Essentially all options are described here: https://godoc.org/gopkg.in/mgo.v2#DialInfo
 | |
| +#  dial_info:
 | |
| +#    # The MongoDB hostnames or IPs to connect to.
 | |
| +#    addrs: ["localhost"]
 | |
| +#    # The time to wait for a server to respond when first connecting and on
 | |
| +#    # follow up operations in the session. If timeout is zero, the call may
 | |
| +#    # block forever waiting for a connection to be established.
 | |
| +#    # (See https://golang.org/pkg/time/#ParseDuration for a format description.)
 | |
| +#    timeout: "10s"
 | |
| +#    # Database name that will be used on the MongoDB server.
 | |
| +#    database: "docker_auth"
 | |
| +#    # The username with which to connect to the MongoDB server.
 | |
| +#    username: ""
 | |
| +#    # Path to the text file with the password in it.
 | |
| +#    password_file: ""
 | |
| +#    # Enable TLS connection to MongoDB (only enable this if your server supports it)
 | |
| +#    enable_tls: false
 | |
| +#  # Name of the collection in which ACLs will be stored in MongoDB.
 | |
| +#  collection: "users"
 | |
| +#  # Unlike acl_mongo we don't cache the full user set. We just query mongo for
 | |
| +#  # an exact match for each authorization
 | |
| +#
 | |
| +#xorm_auth:
 | |
| +#  # the database type you'd like to connect to
 | |
| +#  database_type: "mysql"
 | |
| +#  # the connection string to connect to the database
 | |
| +#  conn_string: "username:password@/database_name?charset=utf8"
 | |
| +#
 | |
| +## External authentication - call an external progam to authenticate user.
 | |
| +## Username and password are passed to command's stdin and exit code is examined.
 | |
| +## 0 - allow, 1 - deny, 2 - no match, other - error.
 | |
| +## In case of success, if any output is returned, it is parsed as a JSON object.
 | |
| +## The "labels" key may contain labels to be passed down to authz, where they can
 | |
| +## be used in matching. See ext_auth.sh for an example.
 | |
| +#ext_auth:
 | |
| +#  command: "/usr/local/bin/my_auth"  # Can be a relative path too; $PATH works.
 | |
| +#  args: ["--flag", "--more", "--flags"]
 | |
| +#
 | |
| +## User written authentication plugin - call a user written program to authenticate user.
 | |
| +## Username of type string and password of authn.PasswordString is passed to the plugin
 | |
| +## Expects a boolean value whether the user is authenticate or not, authn.Labels, error
 | |
| +## The "labels" key may contain labels to be passed down to authz, where they can
 | |
| +## be used in matching.
 | |
| +#plugin_authn:
 | |
| +#  plugin_path: ""
 | |
| +#
 | |
| +## Authorization methods. All are tried, any one returning success is sufficient.
 | |
| +## At least one must be configured.
 | |
| +#
 | |
| +## ACL specifies who can do what. If the match section of an entry matches the
 | |
| +## request, the set of allowed actions will be applied to the token request
 | |
| +## and a ticket will be issued only for those of the requested actions that are
 | |
| +## allowed by the rule.
 | |
| +##  * It is possible to match on user's name ("account"), subject type ("type")
 | |
| +##    and name ("name"; for type=repository this is the image name).
 | |
| +##  * Matches are evaluated as shell file name patterns ("globs") by default,
 | |
| +##    so "foobar", "f??bar", "f*bar" are all valid. For even more flexibility
 | |
| +##    match patterns can be evaluated as regexes by enclosing them in //, e.g.
 | |
| +##    "/(foo|bar)/".
 | |
| +##  * IP match can be single IP address or a subnet in the "prefix/mask" notation.
 | |
| +##  * ACL is evaluated in the order it is defined until a match is found.
 | |
| +##    Rules below the first match are not evaluated, so you'll need to put more
 | |
| +##    specific rules above more broad ones.
 | |
| +##  * Empty match clause matches anything, it only makes sense at the end of the
 | |
| +##    list and can be used as a way of specifying default permissions.
 | |
| +##  * Empty actions set means "deny everything". Thus, a rule with `actions: []`
 | |
| +##    is in effect a "deny" rule.
 | |
| +##  * A special set consisting of a single "*" action means "allow everything".
 | |
| +##  * If no match is found the default is to deny the request.
 | |
| +##
 | |
| +## You can use the following variables from the ticket request in any field:
 | |
| +##  * ${account} - the account name, currently the same as authenticated user's name.
 | |
| +##  * ${service} - the service name, specified by auth.token.service in the registry config.
 | |
| +##  * ${type} - the type of the entity, normally "repository".
 | |
| +##  * ${name} - the name of the repository (i.e. image), e.g. centos.
 | |
| +##  * ${labels:<LABEL>} - tests all values in the list of lables:<LABEL> for the user. Refer to the labels doc for details
 | |
| +#acl:
 | |
| +#  - match: {ip: "127.0.0.0/8"}
 | |
| +#    actions: ["*"]
 | |
| +#    comment: "Allow everything from localhost (IPv4)"
 | |
| +#  - match: {ip: "::1"}
 | |
| +#    actions: ["*"]
 | |
| +#    comment: "Allow everything from localhost (IPv6)"
 | |
| +#  - match: {ip: "172.17.0.1"}
 | |
| +#    actions: ["*"]
 | |
| +#    comment: "Allow everything from the local Docker bridge address"
 | |
| +#  - match: {account: "admin"}
 | |
| +#    actions: ["*"]
 | |
| +#    comment: "Admin has full access to everything."
 | |
| +#  - match: {account: "test", name: "test-*"}
 | |
| +#    actions: ["*"]
 | |
| +#    comment: "User \"test\" has full access to test-* images but nothing else. (1)"
 | |
| +#  - match: {account: "test"}
 | |
| +#    actions: []
 | |
| +#    comment: "User \"test\" has full access to test-* images but nothing else. (2)"
 | |
| +#  - match: {account: "/.+/", name: "${account}/*"}
 | |
| +#    actions: ["*"]
 | |
| +#    comment: "Logged in users have full access to images that are in their 'namespace'"
 | |
| +#  - match: {account: "/.+/", type: "registry", name: "catalog"}
 | |
| +#    actions: ["*"]
 | |
| +#    comment: "Logged in users can query the catalog."
 | |
| +#  - match: {account: "/.+/"}
 | |
| +#    actions: ["pull"]
 | |
| +#    comment: "Logged in users can pull all images."
 | |
| +#  - match: {account: "", name: "hello-world"}
 | |
| +#    actions: ["pull"]
 | |
| +#    comment: "Anonymous users can pull \"hello-world\"."
 | |
| +#  - match: {account: "/^(.+)@test.com$/", name: "${account:1}/*"}
 | |
| +#    actions: []
 | |
| +#    comment: "Emit domain part of account to make it a correct repo name"
 | |
| +#  - match: {labels: {"group": "VIP"}}
 | |
| +#    actions: ["push"]
 | |
| +#    comment: "Users assigned to group 'VIP' is able to push"
 | |
| +#  - match: {labels: {"group": "/trainee|dev/"}}
 | |
| +#    actions: ["push", "pull"]
 | |
| +#    comment: "Users assigned to group 'trainee' and 'dev' is able to push and pull"
 | |
| +#  - match: {name: "${labels:group}-shared/*"}
 | |
| +#    actions: ["push", "pull"]
 | |
| +#    comment: "Users can push to the shared namespace of any group they are in"
 | |
| +#  - match: {name: "${labels:project}/*"}
 | |
| +#    actions: ["push", "pull"]
 | |
| +#    comment: "Users can push to any project they are assigned to"
 | |
| +#  - match: {name: "${labels:project}-{labels:tier}/*"}
 | |
| +#    actions: ["push", "pull"]
 | |
| +#    comment: "Users can push to a project-tier/* that they are assigned to"
 | |
| +#  - match: {labels: {"title": "Developer"}}
 | |
| +#    actions: ["*"]
 | |
| +#    comment: "If you call yourself a developer you can do anything (this ACL is an example for LDAP labels as defined above)"
 | |
| +#  - match: {labels: {"groups": "Admin"}}
 | |
| +#    actions: ["push"]
 | |
| +#    comment: "If you are part of the admin group you can push. (this ACL is an example for LDAP labels as defined above)"
 | |
| +#  # Access is denied by default.
 | |
| +#
 | |
| +## (optional) Define to query ACL from a MongoDB server.
 | |
| +#acl_mongo:
 | |
| +#  # Essentially all options are described here: https://godoc.org/gopkg.in/mgo.v2#DialInfo
 | |
| +#  dial_info:
 | |
| +#    # The MongoDB hostnames or IPs to connect to.
 | |
| +#    addrs: ["localhost"]
 | |
| +#    # The time to wait for a server to respond when first connecting and on
 | |
| +#    # follow up operations in the session. If timeout is zero, the call may
 | |
| +#    # block forever waiting for a connection to be established.
 | |
| +#    # (See https://golang.org/pkg/time/#ParseDuration for a format description.)
 | |
| +#    timeout: "10s"
 | |
| +#    # Database name that will be used on the MongoDB server.
 | |
| +#    database: "docker_auth"
 | |
| +#    # The username with which to connect to the MongoDB server.
 | |
| +#    username: ""
 | |
| +#    # Path to the text file with the password in it.
 | |
| +#    password_file: ""
 | |
| +#    # Enable TLS connection to MongoDB (only enable this if your server supports it)
 | |
| +#    enable_tls: false
 | |
| +#  # Name of the collection in which ACLs will be stored in MongoDB.
 | |
| +#  collection: "acl"
 | |
| +#  # Specify how long an ACL remains valid before they will be fetched again from
 | |
| +#  # the MongoDB server.
 | |
| +#  # (See https://golang.org/pkg/time/#ParseDuration for a format description.)
 | |
| +#  cache_ttl: "1m"
 | |
| +#
 | |
| +## (optional) Define to query ACL from a XORM.io database connection.
 | |
| +#acl_xorm:
 | |
| +#  # the database type you'd like to connect to
 | |
| +#  database_type: "mysql"
 | |
| +#  conn_string: "username:password@/database_name?charset=utf8"
 | |
| +#  cache_ttl: "1m"
 | |
| +#
 | |
| +## (optioinal) Use casbin to verify permission
 | |
| +#casbin_authz:
 | |
| +#  model_path: "path/to/model"
 | |
| +#  policy_path: "path/to/csv"
 | |
| +#
 | |
| +## External authorization - call an external progam to authorize user.
 | |
| +## JSON of authz.AuthRequestInfo is passed to command's stdin and exit code is examined.
 | |
| +## 0 - allow, 1 - deny, other - error.
 | |
| +#ext_authz:
 | |
| +#  command: "/usr/local/bin/my_authz"  # Can be a relative path too; $PATH works.
 | |
| +#  args: ["--flag", "--more", "--flags"]
 | |
| +#
 | |
| +## User written authorization plugin - call a user written program to authorize user.
 | |
| +## *authz.AuthRequestInfo is passed to the plugin and expects an authorized set of actions or an error.
 | |
| +## return the set of authorized actions is the user is authorized. Otherwise return nil
 | |
| +#plugin_authz:
 | |
| +#  plugin_path: ""
 | |
|  #
 | |
| -# You can use the following variables from the ticket request in any field:
 | |
| -#  * ${account} - the account name, currently the same as authenticated user's name.
 | |
| -#  * ${service} - the service name, specified by auth.token.service in the registry config.
 | |
| -#  * ${type} - the type of the entity, normally "repository".
 | |
| -#  * ${name} - the name of the repository (i.e. image), e.g. centos.
 | |
| -#  * ${labels:<LABEL>} - tests all values in the list of lables:<LABEL> for the user. Refer to the labels doc for details
 | |
| -acl:
 | |
| -  - match: {ip: "127.0.0.0/8"}
 | |
| -    actions: ["*"]
 | |
| -    comment: "Allow everything from localhost (IPv4)"
 | |
| -  - match: {ip: "::1"}
 | |
| -    actions: ["*"]
 | |
| -    comment: "Allow everything from localhost (IPv6)"
 | |
| -  - match: {ip: "172.17.0.1"}
 | |
| -    actions: ["*"]
 | |
| -    comment: "Allow everything from the local Docker bridge address"
 | |
| -  - match: {account: "admin"}
 | |
| -    actions: ["*"]
 | |
| -    comment: "Admin has full access to everything."
 | |
| -  - match: {account: "test", name: "test-*"}
 | |
| -    actions: ["*"]
 | |
| -    comment: "User \"test\" has full access to test-* images but nothing else. (1)"
 | |
| -  - match: {account: "test"}
 | |
| -    actions: []
 | |
| -    comment: "User \"test\" has full access to test-* images but nothing else. (2)"
 | |
| -  - match: {account: "/.+/", name: "${account}/*"}
 | |
| -    actions: ["*"]
 | |
| -    comment: "Logged in users have full access to images that are in their 'namespace'"
 | |
| -  - match: {account: "/.+/", type: "registry", name: "catalog"}
 | |
| -    actions: ["*"]
 | |
| -    comment: "Logged in users can query the catalog."
 | |
| -  - match: {account: "/.+/"}
 | |
| -    actions: ["pull"]
 | |
| -    comment: "Logged in users can pull all images."
 | |
| -  - match: {account: "", name: "hello-world"}
 | |
| -    actions: ["pull"]
 | |
| -    comment: "Anonymous users can pull \"hello-world\"."
 | |
| -  - match: {account: "/^(.+)@test.com$/", name: "${account:1}/*"}
 | |
| -    actions: []
 | |
| -    comment: "Emit domain part of account to make it a correct repo name"
 | |
| -  - match: {labels: {"group": "VIP"}}
 | |
| -    actions: ["push"]
 | |
| -    comment: "Users assigned to group 'VIP' is able to push"
 | |
| -  - match: {labels: {"group": "/trainee|dev/"}}
 | |
| -    actions: ["push", "pull"]
 | |
| -    comment: "Users assigned to group 'trainee' and 'dev' is able to push and pull"
 | |
| -  - match: {name: "${labels:group}-shared/*"}
 | |
| -    actions: ["push", "pull"]
 | |
| -    comment: "Users can push to the shared namespace of any group they are in"
 | |
| -  - match: {name: "${labels:project}/*"}
 | |
| -    actions: ["push", "pull"]
 | |
| -    comment: "Users can push to any project they are assigned to"
 | |
| -  - match: {name: "${labels:project}-{labels:tier}/*"}
 | |
| -    actions: ["push", "pull"]
 | |
| -    comment: "Users can push to a project-tier/* that they are assigned to"
 | |
| -  - match: {labels: {"title": "Developer"}}
 | |
| -    actions: ["*"]
 | |
| -    comment: "If you call yourself a developer you can do anything (this ACL is an example for LDAP labels as defined above)"
 | |
| -  - match: {labels: {"groups": "Admin"}}
 | |
| -    actions: ["push"]
 | |
| -    comment: "If you are part of the admin group you can push. (this ACL is an example for LDAP labels as defined above)"
 | |
| -  # Access is denied by default.
 | |
| -
 | |
| -# (optional) Define to query ACL from a MongoDB server.
 | |
| -acl_mongo:
 | |
| -  # Essentially all options are described here: https://godoc.org/gopkg.in/mgo.v2#DialInfo
 | |
| -  dial_info:
 | |
| -    # The MongoDB hostnames or IPs to connect to.
 | |
| -    addrs: ["localhost"]
 | |
| -    # The time to wait for a server to respond when first connecting and on
 | |
| -    # follow up operations in the session. If timeout is zero, the call may
 | |
| -    # block forever waiting for a connection to be established.
 | |
| -    # (See https://golang.org/pkg/time/#ParseDuration for a format description.)
 | |
| -    timeout: "10s"
 | |
| -    # Database name that will be used on the MongoDB server.
 | |
| -    database: "docker_auth"
 | |
| -    # The username with which to connect to the MongoDB server.
 | |
| -    username: ""
 | |
| -    # Path to the text file with the password in it.
 | |
| -    password_file: ""
 | |
| -    # Enable TLS connection to MongoDB (only enable this if your server supports it)
 | |
| -    enable_tls: false
 | |
| -  # Name of the collection in which ACLs will be stored in MongoDB.
 | |
| -  collection: "acl"
 | |
| -  # Specify how long an ACL remains valid before they will be fetched again from
 | |
| -  # the MongoDB server.
 | |
| -  # (See https://golang.org/pkg/time/#ParseDuration for a format description.)
 | |
| -  cache_ttl: "1m"
 | |
| -
 | |
| -# (optional) Define to query ACL from a XORM.io database connection.
 | |
| -acl_xorm:
 | |
| -  # the database type you'd like to connect to
 | |
| -  database_type: "mysql"
 | |
| -  conn_string: "username:password@/database_name?charset=utf8"
 | |
| -  cache_ttl: "1m"
 | |
| -
 | |
| -# (optioinal) Use casbin to verify permission
 | |
| -casbin_authz:
 | |
| -  model_path: "path/to/model"
 | |
| -  policy_path: "path/to/csv"
 | |
| -
 | |
| -# External authorization - call an external progam to authorize user.
 | |
| -# JSON of authz.AuthRequestInfo is passed to command's stdin and exit code is examined.
 | |
| -# 0 - allow, 1 - deny, other - error.
 | |
| -ext_authz:
 | |
| -  command: "/usr/local/bin/my_authz"  # Can be a relative path too; $PATH works.
 | |
| -  args: ["--flag", "--more", "--flags"]
 | |
| -
 | |
| -# User written authorization plugin - call a user written program to authorize user.
 | |
| -# *authz.AuthRequestInfo is passed to the plugin and expects an authorized set of actions or an error.
 | |
| -# return the set of authorized actions is the user is authorized. Otherwise return nil
 | |
| -plugin_authz:
 | |
| -  plugin_path: ""
 | |
| -
 |