Respond with 401 WWW-Authenticate when user is defined but no ACL #403
Description
I suggest to respond with HTTP 401 WWW-Authenticate when a user is defined but has no ACL for the requested action. Currently server responds with an "empty actions" token and it confuses some web UIs like joxit/docker-registry-ui.
Example config:
users:
admin:
password: "$2y$05$***"
"": {}
acl:
- match: { account: "admin", ip: "10.0.0.0/8" }
actions: ["*"]
comment: "Admin has full access to everything."
- match: { account: "", type: "registry", name: "catalog"}
actions: ["*"]
comment: "Anonymous user can query the registry"
- match: { account: "" }
actions: ["pull"]
comment: "Anonymous user can pull"
When auth server receives a request for delete action but the anonymous user has no ACL defined for it, it responds with an "empty actions" token instead of requesting username and password.
Related with: #248