Configuration and Permission - enabling anonymousPolicy gives access denied error on push

[cernoel]

Hi,

i have some troubles getting the configuration right, .. i use ko.build to build images und push them to zot, which works really well. But starting with authententication and havingcertain paths (for different projects) and having different users for uploading to these paths give me some headache.

What i want to accomplish is, i want to have an upload - user per project, and in general i want to have anonymous read access to all repos (for deployment). But enabling the anonymous policy in "root" (or "**") under policies, gives me always an "access denied" error on pushing to the repo.

Even when i do not have the root path thing enabled, but enabling it in the subpath itself (/project/**), gives me a access denied error on pushing. So i tried various combinations.

So what works is, having a user bound to a path. But then i have no anoynmous access, or enabling anonymous access, but then not beeing able to upload.

config.json:

...
 "http": {
    "address":"0.0.0.0",
    "port":"443",
    "tls" : {
       "cert": "/etc/zot/server.crt",
       "key": "/etc/zot/server.key"
    },
    "auth": {
      "htpasswd": {
        "path": "/etc/zot/htpasswd"
      },
      "failDelay": 5
    },
    "accessControl": {
      "repositories": {
        "**": {
          "defaultPolicy": ["read"],
          "anonymousPolicy": ["read"]
        },
        "/projectXY/**": {
          "policies": [
            {
              "users": ["upload"],
              "actions": ["read", "create", "update", "delete"]
            }
          ] 
        }
      },
      "adminPolicy": {
        "users": ["admin"],
        "actions": ["read", "create", "update", "delete"]
      }
    }
  },
...

docker-compose.yaml

services:
  zot:
    image: ghcr.io/project-zot/zot-linux-amd64:v2.0.0-rc6 

    container_name: zot

    restart: unless-stopped

    ports:
      - 443:443

    expose:
      - 80
      - 443

    volumes:
      - ./logs:/logs
      - ./data:/data
      - ./config.json:/etc/zot/config.json:ro
      - ./htpasswd:/etc/zot/htpasswd:ro
      - ./certs/server.key:/etc/zot/server.key:ro
      - ./certs/server.crt:/etc/zot/server.crt:ro

Thank you for any hint, have a nice day!

[eusebiu-constantin-petu-dbk]

Hello @cernoel,

You get denied when pushing with upload user because of the "/" in "/project/" (make it "project/")
For anonymous read access on all repos, you should put "anonymousPolicy": ["read"] under every repo pattern.

Let me know if it helps.

[cernoel]

yeah this works, thank you!