Anonymous access returns 401

[mottetm]

Hi there!

I'm trying to set up a registry with read-only anonymous access. My configuration goes as follow:

{
    "storage": {
        "rootDirectory": "/var/lib/zot/data"
    },
    "http": {
        "realm": "zot",
        "address": "0.0.0.0",
        "port": "5000",
        "compat": [
            "docker2s2"
        ],
        "auth": {
            "htpasswd": {
                "path": "/var/lib/zot/htpasswd"
            }
        },
        "accessControl": {
            "metrics": {
                "users": [
                    "hello"
                ]
            },
            "repositories": {
                "**": {
                    "anonymousPolicy": [
                        "read"
                    ],
                    "defaultPolicy": [
                        "read",
                        "create"
                    ]
                }
            }
        }
    },
    "log": {
        "level": "debug"
    },
}

When executing an authenticated request, everything goes well:

# crane manifest localhost:5000/path/to/image:v2
{"level":"info","module":"http","component":"session","clientIP":"127.0.0.1:42976","method":"GET","path":"/v2/","statusCode":401,"latency":"0s","bodySize":266,"headers":{"Accept-Encoding":["gzip"],"User-Agent":["crane/(devel) go-containerregistry/(devel)"],"X-Envoy-Expected-Rq-Timeout-Ms":["15000"],"X-Forwarded-Proto":["http"],"X-Request-Id":["e6c5f659-2c09-4d31-ba9a-a6e19e15c5d1"]},"goroutine":215,"caller":"zotregistry.dev/zot/pkg/api/session.go:137","time":"2025-06-03T09:18:54.377764572Z","message":"HTTP API"}
{"level":"info","identity":"hello","goroutine":215,"caller":"zotregistry.dev/zot/pkg/api/authn.go:141","time":"2025-06-03T09:18:54.445448425Z","message":"user profile successfully set"}
{"level":"info","identity":"hello","goroutine":215,"caller":"zotregistry.dev/zot/pkg/api/authn.go:141","time":"2025-06-03T09:18:54.509713746Z","message":"user profile successfully set"}
{"level":"info","module":"http","username":"hello","component":"session","clientIP":"127.0.0.1:42976","method":"GET","path":"/v2/path/to/image/manifests/v2","statusCode":200,"latency":"0s","bodySize":581,"headers":{"Accept":["application/vnd.docker.distribution.manifest.v1+json,application/vnd.docker.distribution.manifest.v1+prettyjws,application/vnd.docker.distribution.manifest.v2+json,application/vnd.oci.image.manifest.v1+json,application/vnd.docker.distribution.manifest.list.v2+json,application/vnd.oci.image.index.v1+json"],"Accept-Encoding":["gzip"],"Authorization":["******"],"User-Agent":["crane/(devel) go-containerregistry/(devel)"],"X-Envoy-Expected-Rq-Timeout-Ms":["15000"],"X-Forwarded-Proto":["http"],"X-Request-Id":["eae4d52e-253f-4b3e-947e-ea5e7f4fcc74"]},"goroutine":215,"caller":"zotregistry.dev/zot/pkg/api/session.go:137","time":"2025-06-03T09:18:54.593257251Z","message":"HTTP API"}

Anonymous request on the other hand fail:

# crane manifest localhost:5000/path/to/image:v2
{"level":"info","module":"http","component":"session","clientIP":"127.0.0.1:53948","method":"GET","path":"/v2/","statusCode":401,"latency":"0s","bodySize":266,"headers":{"Accept-Encoding":["gzip"],"User-Agent":["crane/(devel) go-containerregistry/(devel)"],"X-Envoy-Expected-Rq-Timeout-Ms":["15000"],"X-Forwarded-Proto":["http"],"X-Request-Id":["0e4c6e3f-ecb3-4f17-ab85-35153f1e6aeb"]},"goroutine":218,"caller":"zotregistry.dev/zot/pkg/api/session.go:137","time":"2025-06-03T09:19:12.685437289Z","message":"HTTP API"}
{"level":"info","module":"http","component":"session","clientIP":"127.0.0.1:53948","method":"GET","path":"/v2/path/to/image/manifests/v2","statusCode":401,"latency":"0s","bodySize":266,"headers":{"Accept":["application/vnd.docker.distribution.manifest.v1+json,application/vnd.docker.distribution.manifest.v1+prettyjws,application/vnd.docker.distribution.manifest.v2+json,application/vnd.oci.image.manifest.v1+json,application/vnd.docker.distribution.manifest.list.v2+json,application/vnd.oci.image.index.v1+json"],"Accept-Encoding":["gzip"],"User-Agent":["crane/(devel) go-containerregistry/(devel)"],"X-Envoy-Expected-Rq-Timeout-Ms":["15000"],"X-Forwarded-Proto":["http"],"X-Request-Id":["6b9c7a91-b05f-41af-9510-482470fd4235"]},"goroutine":218,"caller":"zotregistry.dev/zot/pkg/api/session.go:137","time":"2025-06-03T09:19:12.688189356Z","message":"HTTP API"}

Any idea what could be causing the anonymous access to fail?

[andaaron]

This is really strange, as far as I recall we're not supposed to return 401 on /v2 on anonymous if enabled https://github.com/project-zot/zot/blob/main/pkg/api/authn.go#L392
@eusebiu-constantin-petu-dbk, is this correct? I don't recall exactly.

[mottetm]

I've been playing with the code trying to understand what is going on and think I figured it out.

When setting the /metrics endpoint, you add the MetricsAuthzHandler to the base router. This means that it will be called on all incoming request, whether authenticated or anonymous. And since it doesn't allow anonymous access, then it returns the 401.

[mottetm]

Consequently, I can fix the issue by disabling the metrics extension. But this is definitely a bug...

[rchincha]

This has been converted to an issue.
#3182
Let's continue the discussion there.