tsl0922/auth_config.yml

## auth_config.yml
# A simple example. See reference.yml for explanation for explanation of all options.
#
#  auth:
#    token:
#      realm: "http://127.0.0.1:5001/auth"
#      service: "Docker registry"
#      issuer: "Acme auth server"
#      rootcertbundle: "/path/to/server.pem"
#
# openssl req -newkey rsa:2048 -nodes -keyout server.key -x509 -days 365 -out server.crt

server:
  addr: ":5001"

token:
  issuer: "Acme auth server"  # Must match issuer in the Registry config.
  expiration: 900
  certificate: "/ssl/server.crt"
  key: "/ssl/server.key"

users:
  # Password is specified as a BCrypt hash. Use `htpasswd -nB USERNAME` to generate.
  "admin":
    password: "$2y$05$LO.vzwpWC5LZGqThvEfznu8qhb5SGqvBSWY1J3yZ4AxtMRZ3kN5jC"  # badmin
  "test":
    password: "$2y$05$WuwBasGDAgr.QCbGIjKJaep4dhxeai9gNZdmBnQXqpKly57oNutya"  # 123

acl:
  - match: {account: "admin"}
    actions: ["*"]
    comment: "Admin has full access to everything."
  - match: {account: "test"}
    actions: ["pull"]
    comment: "User \"test\" can pull stuff."
  # Access is denied by default.

## docker-compose.yml
version: '2.2'

services:
  auth:
    image: cesanta/docker_auth:1
    volumes:
        - ./ssl:/ssl
        - ./auth_config.yml:/auth_config.yml
    command: --v=2 --alsologtostderr /auth_config.yml
    ports:
        - 5001:5001
  registry:
    image: registry:2
    volumes:
        - ./ssl:/ssl
    ports:
        - 5555:5555
    environment:
        - REGISTRY_HTTP_ADDR=:5555
        - REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY=/var/lib/registry
        - REGISTRY_AUTH=token
        - REGISTRY_AUTH_TOKEN_REALM=http://127.0.0.1:5001/auth
        - REGISTRY_AUTH_TOKEN_SERVICE="Docker registry"
        - REGISTRY_AUTH_TOKEN_ISSUER="Acme auth server"
        - REGISTRY_AUTH_TOKEN_ROOTCERTBUNDLE=/ssl/server.crt
	# A simple example. See reference.yml for explanation for explanation of all options.
	#
	# auth:
	# token:
	# realm: "http://127.0.0.1:5001/auth"
	# service: "Docker registry"
	# issuer: "Acme auth server"
	# rootcertbundle: "/path/to/server.pem"
	#
	# openssl req -newkey rsa:2048 -nodes -keyout server.key -x509 -days 365 -out server.crt

	server:
	addr: ":5001"

	token:
	issuer: "Acme auth server" # Must match issuer in the Registry config.
	expiration: 900
	certificate: "/ssl/server.crt"
	key: "/ssl/server.key"

	users:
	# Password is specified as a BCrypt hash. Use `htpasswd -nB USERNAME` to generate.
	"admin":
	password: "$2y$05$LO.vzwpWC5LZGqThvEfznu8qhb5SGqvBSWY1J3yZ4AxtMRZ3kN5jC" # badmin
	"test":
	password: "$2y$05$WuwBasGDAgr.QCbGIjKJaep4dhxeai9gNZdmBnQXqpKly57oNutya" # 123

	acl:
	- match: {account: "admin"}
	actions: ["*"]
	comment: "Admin has full access to everything."
	- match: {account: "test"}
	actions: ["pull"]
	comment: "User \"test\" can pull stuff."
	# Access is denied by default.
	version: '2.2'

	services:
	auth:
	image: cesanta/docker_auth:1
	volumes:
	- ./ssl:/ssl
	- ./auth_config.yml:/auth_config.yml
	command: --v=2 --alsologtostderr /auth_config.yml
	ports:
	- 5001:5001
	registry:
	image: registry:2
	volumes:
	- ./ssl:/ssl
	ports:
	- 5555:5555
	environment:
	- REGISTRY_HTTP_ADDR=:5555
	- REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY=/var/lib/registry
	- REGISTRY_AUTH=token
	- REGISTRY_AUTH_TOKEN_REALM=http://127.0.0.1:5001/auth
	- REGISTRY_AUTH_TOKEN_SERVICE="Docker registry"
	- REGISTRY_AUTH_TOKEN_ISSUER="Acme auth server"
	- REGISTRY_AUTH_TOKEN_ROOTCERTBUNDLE=/ssl/server.crt