Authentication for the registry can be handled by either the registry itself, LDAP, Keystone, or external JWT endpoint.
Additional external authentication providers (such as GitHub) can be used in addition for login into the UI.
It is
highly recommended to require encrypted client passwords. External passwords used in the Docker client will be stored in
plaintext!
Enable this requirement now.
Note: The "Require Encrypted Client Passwords" feature is currently enabled which will
prevent passwords from being saved as plaintext by the Docker client.
Authentication: |
|
Team synchronization: |
Enable Team Synchronization Support
If enabled, organization administrators who are also superusers can set teams to have their membership synchronized with a backing group in {{ config.AUTHENTICATION_TYPE }}.
|
Resynchronization duration: |
The duration before a team must be re-synchronized. Must be expressed in a duration string form: 30m , 1h , 1d .
|
Self-service team syncing setup: |
If enabled, this feature will allow *any organization administrator* to read the membership of any {{ config.AUTHENTICATION_TYPE }} group.
Allow non-superusers to enable and manage team syncing
If enabled, non-superusers will be able to enable and manage team sycning on teams under organizations in which they are administrators.
|
Keystone API Version: |
|
Keystone Authentication URL: |
The URL (starting with http or https) of the Keystone Server endpoint for auth.
|
Keystone Administrator Username: |
The username for the Keystone admin.
|
Keystone Administrator Password: |
The password for the Keystone admin.
|
Keystone Administrator Tenant: |
The tenant (project/group) that contains the administrator user.
|
JSON Web Token authentication allows your organization to provide an HTTP endpoint that
verifies user credentials on behalf of
.
Documentation
on the API required can be found here:
https://github.com/coreos/jwt-auth-example.
Authentication Issuer: |
The id of the issuer signing the JWT token. Must be unique to your organization.
|
Public Key: |
A certificate containing the public key portion of the key pair used to sign
the JSON Web Tokens. This file must be in PEM format.
|
User Verification Endpoint: |
The URL (starting with http or https) on the JWT authentication server for verifying username and password credentials.
Credentials will be sent in the Authorization header as Basic Auth, and this endpoint should return 200 OK on success (or a 4** otherwise).
|
User Query Endpoint: |
The URL (starting with http or https) on the JWT authentication server for looking up
users based on a prefix query. This is optional.
The prefix query will be sent as a query parameter with name query .
|
User Lookup Endpoint: |
The URL (starting with http or https) on the JWT authentication server for looking up
a user by username or email address.
The username or email address will be sent as a query parameter with name username .
|
LDAP URI: |
The full LDAP URI, including the ldap:// or ldaps:// prefix.
|
Base DN: |
A Distinguished Name path which forms the base path for looking up all LDAP records.
Example: dc=my,dc=domain,dc=com
|
User Relative DN: |
A Distinguished Name path which forms the base path for looking up all user LDAP records,
relative to the Base DN defined above.
Example: ou=employees
|
Secondary User Relative DNs: |
A list of Distinguished Name path(s) which forms the secondary base path(s) for
looking up all user LDAP records, relative to the Base DN defined above. These path(s)
will be tried if the user is not found via the primary relative DN.
Example: [ou=employees]
|
Administrator DN: |
The Distinguished Name for the Administrator account. This account must be able to login and view the records for all user accounts.
Example: uid=admin,ou=employees,dc=my,dc=domain,dc=com
|
Administrator DN Password: |
Note: This will be stored in
plaintext inside the config.yaml, so setting up a dedicated account or using
a password hash is highly recommended.
The password for the Administrator DN.
|
UID Attribute: |
The name of the property field in your LDAP user records that stores your
users' username. Typically "uid".
|
Mail Attribute: |
The name of the property field in your LDAP user records that stores your
users' e-mail address(es). Typically "mail".
|
Custom TLS Certificate: |
If specified, the certificate (in PEM format) for the LDAP TLS connection.
|
Allow insecure: |
Allow fallback to non-TLS connections
If enabled, LDAP will fallback to insecure non-TLS connections if TLS does not succeed.
|