[RTFACT-17773] Anonymous should be able to download foriegn Layer currently it’s unable due to permissions issues Created: 05/Nov/18  Updated: 12/Jan/20  Resolved: 18/Dec/19

Status: Resolved
Project: Artifactory Binary Repository
Component/s: Docker
Affects Version/s: 6.5.1
Fix Version/s: 6.17.0

Type: Bug Priority: High
Reporter: Batel Tova Assignee: Rotem Kfir
Resolution: Fixed Votes: 1
Labels: QF, QF-P1

Issue Links:
Duplicate
is duplicated by RTFACT-17540 Cannot download foreign layer as anon... Resolved
Sprint: Pam - Quality 7

 Description   

Currently, when downloading images that contain foreign Layers for example (nanoserver:1803) with anonymous user we receives lack of permissions error (when changing the marker) 

[ERROR] (o.a.p.PropertiesServiceImpl:233) - Cannot set 'Properties' on 'docker-hub:microsoft/nanoserver/1803/sha256__32a31079c44768fa8ca61a8ad71b03311b7aceb9d1dd662e25cffc985a3f301c.marker': lacking annotate permissions. - annotate permissions



 Comments   
Comment by Ariel Kabov [ 12/Nov/18 ]

Workaround:
Grant anonymous user annotate permissions on the docker remote repositories.

Comment by Scott Mosher [ 10/Dec/18 ]

2018-12-10 18:46:31,203 [http-nio-8081-exec-7] [DEBUG] (o.a.a.d.r.v.r.i.DockerRemoteInterceptor:207) - Docker remote interceptor found sha256 checksum 'a39a73fed5c0cb2d8b5f21395f5f92d329cf60dbdd98f4bcb988e5c8d77923f8' from Docker-Content-Digest header for path docker-remote/microsoft/nanoserver/1803/manifest.json
2018-12-10 18:46:31,276 [http-nio-8081-exec-7] [TRACE] (o.a.a.d.r.DockerRemoteTokenProvider:80) - Getting token for {service=registry.docker.io, scope=repository:microsoft/nanoserver:pull, realm=https://auth.docker.io/token}
2018-12-10 18:46:31,402 [http-nio-8081-exec-7] [INFO ] (o.a.r.HttpRepo :411) - docker-remote downloading https://registry-1.docker.io/v2/microsoft/nanoserver/manifests/1803 941 bytes
2018-12-10 18:46:31,424 [http-nio-8081-exec-7] [INFO ] (o.a.r.HttpRepo :424) - docker-remote downloaded https://registry-1.docker.io/v2/microsoft/nanoserver/manifests/1803 941 bytes at 44.77 KB/sec
2018-12-10 18:46:31,431 [http-nio-8081-exec-7] [DEBUG] (o.a.a.d.r.v.DockerV2RemoteRepoHandler:433) - Caching resource docker-remote/microsoft/nanoserver/1803/manifest.json
2018-12-10 18:46:31,432 [http-nio-8081-exec-7] [TRACE] (o.a.a.d.r.v.DockerV2RemoteRepoHandler:407) - Found Manifest from docker-remote 'v2/microsoft/nanoserver/manifests/1803' found at docker-remote:microsoft/nanoserver/1803/manifest.json cached docker-remote-cache:microsoft/nanoserver/1803/manifest.json
2018-12-10 18:46:31,505 [http-nio-8081-exec-7] [TRACE] (o.a.a.d.r.DockerRemoteTokenProvider:80) - Getting token for {service=registry.docker.io, scope=repository:microsoft/nanoserver:pull, realm=https://auth.docker.io/token}
2018-12-10 18:46:31,743 [http-nio-8081-exec-7] [DEBUG] (o.a.a.d.r.v.r.i.DockerRemoteInterceptor:172) - Resolved incoming manifest type 'application/vnd.docker.distribution.manifest.v1+prettyjws' for path 'docker-remote/microsoft/nanoserver/1803/list.manifest.json'.
2018-12-10 18:46:31,743 [http-nio-8081-exec-7] [DEBUG] (o.a.a.d.r.v.r.i.DockerRemoteInterceptor:177) - Found schema type application/vnd.docker.distribution.manifest.v1+json, cannot use digest header to validate checksum.
2018-12-10 18:46:31,820 [http-nio-8081-exec-7] [TRACE] (o.a.a.d.r.DockerRemoteTokenProvider:80) - Getting token for {service=registry.docker.io, scope=repository:microsoft/nanoserver:pull, realm=https://auth.docker.io/token}
2018-12-10 18:46:31,960 [http-nio-8081-exec-7] [INFO ] (o.a.r.HttpRepo :411) - docker-remote downloading https://registry-1.docker.io/v2/microsoft/nanoserver/manifests/1803 1.90 KB
2018-12-10 18:46:31,973 [http-nio-8081-exec-7] [INFO ] (o.a.r.HttpRepo :424) - docker-remote downloaded https://registry-1.docker.io/v2/microsoft/nanoserver/manifests/1803 1.90 KB at 149.15 KB/sec
2018-12-10 18:46:31,979 [http-nio-8081-exec-7] [TRACE] (o.a.a.d.r.v.DockerV2RemoteRepoHandler:418) - Using manifest from docker-remote:microsoft/nanoserver/1803/manifest.json
2018-12-10 18:46:31,982 [http-nio-8081-exec-7] [TRACE] (o.a.a.d.r.v.DockerV2RemoteRepoHandler:490) - Using handler from cache
2018-12-10 18:46:32,063 [http-nio-8081-exec-7] [TRACE] (o.a.a.d.r.DockerRemoteTokenProvider:80) - Getting token for {service=registry.docker.io, scope=repository:microsoft/nanoserver:pull, realm=https://auth.docker.io/token}
2018-12-10 18:46:32,251 [http-nio-8081-exec-7] [DEBUG] (o.a.a.d.r.v.r.i.DockerRemoteInterceptor:216) - Resolved etag header "ee3d136332624be86126800522790720" on response for path docker-remote/microsoft/nanoserver/1803/sha256__30c2db3488a8fda0df147a55d1a8e58ba4cca7137de4aa8197432f8b97e12a38, Using it to validate checksum.
2018-12-10 18:46:32,328 [http-nio-8081-exec-7] [TRACE] (o.a.a.d.r.DockerRemoteTokenProvider:80) - Getting token for {service=registry.docker.io, scope=repository:microsoft/nanoserver:pull, realm=https://auth.docker.io/token}
2018-12-10 18:46:32,441 [http-nio-8081-exec-7] [INFO ] (o.a.r.HttpRepo :411) - docker-remote downloading https://registry-1.docker.io/v2/microsoft/nanoserver/blobs/sha256:30c2db3488a8fda0df147a55d1a8e58ba4cca7137de4aa8197432f8b97e12a38 797 bytes
2018-12-10 18:46:32,450 [http-nio-8081-exec-7] [INFO ] (o.a.r.HttpRepo :424) - docker-remote downloaded https://registry-1.docker.io/v2/microsoft/nanoserver/blobs/sha256:30c2db3488a8fda0df147a55d1a8e58ba4cca7137de4aa8197432f8b97e12a38 797 bytes at 92.97 KB/sec
2018-12-10 18:46:32,490 [http-nio-8081-exec-7] [ERROR] (o.a.p.PropertiesServiceImpl:233) - Cannot set 'Properties' on 'docker-remote-cache:microsoft/nanoserver/1803/sha256__e46172273a4e4384e1eec7fb01091c828a256ea0f87b30f61381fba9bc511371.marker': lacking annotate permissions.
2018-12-10 18:46:32,497 [http-nio-8081-exec-7] [ERROR] (o.a.p.PropertiesServiceImpl:233) - Cannot set 'Properties' on 'docker-remote-cache:microsoft/nanoserver/1803/sha256__4a6014331730ee68ce3509a509537e270da57c89d160dbf09645f92e43a367f8.marker': lacking annotate permissions.
2018-12-10 18:46:32,500 [http-nio-8081-exec-7] [TRACE] (o.a.a.d.r.v.DockerV2RemoteRepoHandler:507) - Manifest docker-remote 'v2/microsoft/nanoserver/manifests/1803' found and downloaded
2018-12-10 18:46:32,577 [http-nio-8081-exec-9] [TRACE] (o.a.a.d.r.DockerV2AuthenticationFilter:84) - DockerV2AuthenticationFilter path: /api/docker/docker/v2/microsoft/nanoserver/blobs/sha256:30c2db3488a8fda0df147a55d1a8e58ba4cca7137de4aa8197432f8b97e12a38
2018-12-10 18:46:32,593 [http-nio-8081-exec-9] [INFO ] (o.j.r.d.v.r.h.DockerV2LocalRepoHandler:117) - Fetching docker blob 'sha256:30c2db3488a8fda0df147a55d1a8e58ba4cca7137de4aa8197432f8b97e12a38' from repo 'docker-local'
2018-12-10 18:46:32,595 [http-nio-8081-exec-9] [INFO ] (o.a.a.d.r.v.DockerV2RemoteRepoHandler:172) - Fetching docker blob 'sha256:30c2db3488a8fda0df147a55d1a8e58ba4cca7137de4aa8197432f8b97e12a38'
2018-12-10 18:46:32,596 [http-nio-8081-exec-9] [DEBUG] (o.a.a.d.r.v.DockerV2RemoteRepoHandler:689) - Found blob path at docker-remote-cache:microsoft/nanoserver/1803/sha256__30c2db3488a8fda0df147a55d1a8e58ba4cca7137de4aa8197432f8b97e12a38
2018-12-10 18:46:32,675 [http-nio-8081-exec-1] [TRACE] (o.a.a.d.r.DockerV2AuthenticationFilter:84) - DockerV2AuthenticationFilter path: /api/docker/docker/v2/microsoft/nanoserver/blobs/sha256:e46172273a4e4384e1eec7fb01091c828a256ea0f87b30f61381fba9bc511371
2018-12-10 18:46:32,678 [http-nio-8081-exec-6] [TRACE] (o.a.a.d.r.DockerV2AuthenticationFilter:84) - DockerV2AuthenticationFilter path: /api/docker/docker/v2/microsoft/nanoserver/blobs/sha256:4a6014331730ee68ce3509a509537e270da57c89d160dbf09645f92e43a367f8
2018-12-10 18:46:32,685 [http-nio-8081-exec-1] [INFO ] (o.j.r.d.v.r.h.DockerV2LocalRepoHandler:117) - Fetching docker blob 'sha256:e46172273a4e4384e1eec7fb01091c828a256ea0f87b30f61381fba9bc511371' from repo 'docker-local'
2018-12-10 18:46:32,687 [http-nio-8081-exec-1] [INFO ] (o.a.a.d.r.v.DockerV2RemoteRepoHandler:172) - Fetching docker blob 'sha256:e46172273a4e4384e1eec7fb01091c828a256ea0f87b30f61381fba9bc511371'
2018-12-10 18:46:32,687 [http-nio-8081-exec-6] [INFO ] (o.j.r.d.v.r.h.DockerV2LocalRepoHandler:117) - Fetching docker blob 'sha256:4a6014331730ee68ce3509a509537e270da57c89d160dbf09645f92e43a367f8' from repo 'docker-local'
2018-12-10 18:46:32,688 [http-nio-8081-exec-1] [DEBUG] (o.a.a.d.r.v.DockerV2RemoteRepoHandler:689) - Could not find existing blob for sha256__e46172273a4e4384e1eec7fb01091c828a256ea0f87b30f61381fba9bc511371
2018-12-10 18:46:32,689 [http-nio-8081-exec-6] [INFO ] (o.a.a.d.r.v.DockerV2RemoteRepoHandler:172) - Fetching docker blob 'sha256:4a6014331730ee68ce3509a509537e270da57c89d160dbf09645f92e43a367f8'
2018-12-10 18:46:32,692 [http-nio-8081-exec-6] [DEBUG] (o.a.a.d.r.v.DockerV2RemoteRepoHandler:689) - Could not find existing blob for sha256__4a6014331730ee68ce3509a509537e270da57c89d160dbf09645f92e43a367f8
2018-12-10 18:46:32,768 [http-nio-8081-exec-1] [TRACE] (o.a.a.d.r.DockerRemoteTokenProvider:80) - Getting token for {service=registry.docker.io, scope=repository:microsoft/nanoserver:pull, realm=https://auth.docker.io/token}
2018-12-10 18:46:32,908 [http-nio-8081-exec-6] [TRACE] (o.a.a.d.r.DockerRemoteTokenProvider:80) - Getting token for {service=registry.docker.io, scope=repository:microsoft/nanoserver:pull, realm=https://auth.docker.io/token}

Comment by Scott Mosher [ 10/Dec/18 ]

Have enabled debug loggers on this instance:

http://mill.jfrog.info:12303/artifactory

Please let us know if more info is needed

Generated at Wed Apr 08 09:41:46 UTC 2020 using Jira 8.5.3#805003-sha1:b4933e02eaff29a49114274fe59e1f99d9d963d7.