网上有很多 直接使用静态用户和acl的文章,我这里就不在描述了
这篇文章针对会使用静态用户配置和静态acl的朋友,然后想换成mongodb存储,可以参考,不然可能看不太明白
主要是将我在使用mongodb 存储用户和acl时遇到的问题,记录以便后面使用
参考 https://github.com/cesanta/docker_auth/blob/master/docs/Backend_MongoDB.md
1. docker pull mongodb 镜像到本地 并启动
docker run --name mongo-acl -d mongo
2. 创建 reference_acl.json
{"seq": 10, "match" : {"account" : "admin"}, "actions" : ["*"], "comment" : "Admin has full access to everything."}
{"seq": 20, "match" : {"account" : "test", "name" : "test-*"}, "actions" : ["*"], "comment" : "User \"test\" has full access to test-* images but nothing else. (1)"}
{"seq": 30, "match" : {"account" : "test"}, "actions" : [], "comment" : "User \"test\" has full access to test-* images but nothing else. (2)"}
{"seq": 40, "match" : {"account" : "/.+/"}, "actions" : ["pull"], "comment" : "All logged in users can pull all images."}
{"seq": 50, "match" : {"account" : "/.+/", "name" : "${account}/*"}, "actions" : ["*"], "comment" : "All logged in users can push all images that are in a namespace beginning with their name"}
{"seq": 60, "match" : {"account" : "", "name" : "hello-world"}, "actions" : ["pull"], "comment" : "Anonymous users can pull \"hello-world\"."}
MONGO_IP=$(docker inspect --format '{{ .NetworkSettings.IPAddress }}' mongo-acl) mongoimport --host $MONGO_IP --db docker_auth --collection acl < reference_acl.json进入数据库查看是否成功
进入docker 容器
直接 运行 mongo
1 use docker_auth
2 show tables
3 db.acl.find()
手动删除规则
db.acl.remove({}) 删除所有
db.acl.remove({seq:10}) 匹配删除
创建用户
1 db.createCollection("users")
2 db.users.save({username:'admin',password:'$2y$05$LO.vzwpWC5LZGqThvEfznu8qhb5SGqvBSWY1J3yZ4AxtMRZ3kN5jC'})
此时 数据库中数据就算准备好了
配置文件
auth_config.ymlserver: # Server settings.
addr: ":5001"
certificate: "/ssl/server.crt"
key: "/ssl/server.key"
token: # Settings for the tokens.
issuer: "Auth Service"
expiration: 900
users:
"": {} 这儿配置以后才能匿名访问,具体是否能写入数据库,还待研究
mongo_auth:
dial_info:
addrs: ["172.17.0.4:27017"]
timeout: "10s"
database: "docker_auth"
username: ""
password_file: ""
collection: "users"
acl_mongo:
dial_info:
addrs: ["172.17.0.4:27017"]
timeout: "10s"
database: "docker_auth"
username: ""
password_file: ""
collection: "acl"
cache_ttl: "1m"docker-registry-config.yml
version: 0.1
storage:
filesystem:
rootdirectory: /var/lib/registry
auth:
token:
realm: https://server144:5001/auth
service: Docker registry
issuer: Auth Service
rootcertbundle: /ssl/server.crt
http:
addr: 0.0.0.0:5000
net: tcp
tls:
certificate: /ssl/server.crt
key: /ssl/server.key其它的和使用静态用户一样
参考
https://github.com/cesanta/docker_auth/issues/69
https://github.com/cesanta/docker_auth/issues/109
https://github.com/cesanta/docker_auth/blob/master/docs/Backend_MongoDB.md