-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Image pull fails when repository answers with optional unsupported WWW-Authenticate header #4187
Labels
Comments
kosi2801
pushed a commit
to kosi2801/jib
that referenced
this issue
Feb 16, 2024
…rs (GoogleContainerTools#4187) * fix: try all authenticate methods from the `WWW-Authenticate` response header until one succeeds
kosi2801
added a commit
to kosi2801/jib
that referenced
this issue
Feb 16, 2024
…rs (GoogleContainerTools#4187) * fix: try all authenticate methods from the `WWW-Authenticate` response header until one succeeds
4 tasks
kosi2801
added a commit
to kosi2801/jib
that referenced
this issue
Feb 28, 2024
…rs (GoogleContainerTools#4187) * fix: try all authenticate methods from the `WWW-Authenticate` response header until one succeeds
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Environment:
Description of the issue:
Our Docker repository supports Basic Auth as authentication method, that has worked well for quite some time now. Recently because of network change reasons, the server also offers NTLM/Kerberos authentication.
Unfortunately the jib-maven-plugin now fails when trying to download an image with:
Failed to authenticate with registry xyz.registry/xyz-image because: 'Bearer' was not found in the 'WWW-Authenticate' header, tried to parse: Negotiate
Tracing the network communication shows following response from the Docker server that clearly contains a Basic Auth possibility:
Changing back the configuration so that only a "Basic" authentication is contained in the response header makes everything work again properly.
The problem seems to be that all retrievals in the code for "WWW-Authenticate" header only fetches the first occurence, like
ex.getHttpResponseException().getHeaders().getAuthenticate();
and ignore all other/later possibilities.If that first authenticate option is not supported by jib, no further attempts to check the other options are done and the whole download fails.
Possibly relevant source locations:
Expected behavior:
The repository authentication should ignore unsupported authentication methods (like "Negotiate") and try the other options if available.
Steps to reproduce:
WWW-Authenticate
header as first line additional to an already existingWWW-Authenticate
Basic Auth header (maybe with an nginx-proxy that inserts such headers artifically)Log output:
Additional Information:
I have prepared a local fix changing above mentioned locations in a way, that if the desired action cannot be performed it is re-attempted with the next option in the
WWW-Authenticate
headers list.A pull request will be posted shortly.
The text was updated successfully, but these errors were encountered: