Authentication

Configuration Guidance

In some cases in order to docker login and in order to access docker anonymously, you also need to enable the Docker Bearer Token Realm as generally outlined in Realms. This realm is inactive by default.

If access to a repository requires the user to be authenticated, docker will check for authentication access in the .docker/config.json file. If authentication is not found, some actions will prompt for authentication but otherwise a docker login command will be required before the actions can be performed. Typically this is required when anonymous access to the repository manager is disabled or the operation requires authentication.

The docker login command observes the following syntax for the desired repository or repository group:

docker login <nexus-hostname>:<repository-port>

Provide your repository manager credentials of username and password as well as an email address. This authentication is persisted in ~/.docker/config.json and reused for any subsequent interactions against that repository. Individual login operations must be performed for each repository and repository group you want to access in an authenticated manner.

Specifically when planning to push to a repository a preemptive login operation is advisable as it removes the need for use interaction and is therefore suitable for continuous integration server setups and automated scenarios.

Anonymous Read Access

By default when using Nexus Repository Manager, all docker repositories require authentication to be read from using the command line tools regardless of any permissions granted by the Anonymous user (if enabled) or, in the case of proxy repositories, the remotes' settings.  For Docker in NXRM, this can be bypassed on a per repository basis by editing the repository settings and enabling the Allow anonymous docker pull checkbox under the Repository Connectors section shown at the bottom of Figure: "Repository Connectors Configuration including Allow anonymous docker pull".


Figure: Repository Connectors Configuration including Allow anonymous docker pull

The Anonymous user must be enabled and granted read access to the docker repositories.

Each repository must have the Allow anonymous docker pull configuration enabled individually. Enabling this for a group, just allows the anonymous read when utilizing the group connector. If you utilize one of the member connectors, it will use whatever setting it has for that member even if it differs from the group.

Only read settings are affected by this configuration and all other actions on the docker repositories require authentication or lack thereof regardless if this option is on or off.