Project

Profile

Help

Story #4938

closed

As a user i can pull content from an authenticated Pulp registry

Added by ipanova@redhat.com over 5 years ago. Updated almost 5 years ago.

Status:
CLOSED - CURRENTRELEASE
Priority:
Normal
Assignee:
Sprint/Milestone:
Start date:
Due date:
% Done:

100%

Estimated time:
Platform Release:
Groomed:
Yes
Sprint Candidate:
No
Tags:
Pulp 3 docker blocker
Sprint:
Sprint 61
Quarter:

Description

We need to add auth mechanism to Pulp registry - basic or token based.

This ticket will be complete when a token based auth mechanism will be added.

Basic auth mechanism will be solved in a separate ticket.


1. Create a separate endpoint for accessing a token server. It might be something similar to "https://auth.docker.io/token" (localhost:port/token). A new app route will be required to add in the file content.py (https://github.com/pulp/pulp_docker/blob/82380e7c8cd8af2ead0f996d2950b9ab511221ad/pulp_docker/app/content.py#L3).

An HTTP GET request for the token server will be created when a registry requires authorization. In our case, this is going to happen every single time. Users are not managed by a centralized access control yet. However, requests contain information about users in Basic Auth Header (username:password). If there is not used any authorization at all, the username will be set to "anonymous".

While generating a token, it is required to pass a username and a secret key to the token generator. The secret key can be stored in a file system and fetched during the generation. The username can be retrieved from Basic Auth Header ("sub": "real_user_name", where real_user_name is passed via Basic Auth Header). The password of the user will be ignored. The username will be always empty ("sub": ""; from the docs: "This should be empty (`""`) if the client did not authenticate."). An authentication of users is not handled by this issue. See the issue https://pulp.plan.io/issues/5338 to learn more.

2. If the user is attempting to access a permitted scope, the token server generates an implementation specific token and returns it in a response.

HTTP/1.1 200 OK
Content-Type: application/json

{"token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiIsImtpZCI6IlBZWU86VEVXVTpWN0pIOjI2SlY6QVFUWjpMSkMzOlNYVko6WEdIQTozNEYyOjJMQVE6WlJNSzpaN1E2In0.eyJpc3MiOiJhdXRoLmRvY2tlci5jb20iLCJzdWIiOiJqbGhhd24iLCJhdWQiOiJyZWdpc3RyeS5kb2NrZXIuY29tIiwiZXhwIjoxNDE1Mzg3MzE1LCJuYmYiOjE0MTUzODcwMTUsImlhdCI6MTQxNTM4NzAxNSwianRpIjoidFlKQ08xYzZjbnl5N2tBbjBjN3JLUGdiVjFIMWJGd3MiLCJhY2Nlc3MiOlt7InR5cGUiOiJyZXBvc2l0b3J5IiwibmFtZSI6InNhbWFsYmEvbXktYXBwIiwiYWN0aW9ucyI6WyJwdXNoIl19XX0.QhflHPfbd6eVF4lM9bwYpFZIV0PfikbyXuLx959ykRTBpe3CYnzs6YBK8FToVb5R47920PVLrh8zuLzdCr9t3w", "expires_in": 3600,"issued_at": "2009-11-10T23:00:00Z"}

To generate a token, the library PyJWT (https://pypi.org/project/PyJWT/) can be used. The generated token will be then used by a client in subsequent requests. The registry will proceed further with authenticated pull/push calls along with the bearer token.

Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiIsImtpZCI6IkJWM0Q6MkFWWjpVQjVaOktJQVA6SU5QTDo1RU42Ok40SjQ6Nk1XTzpEUktFOkJWUUs6M0ZKTDpQT1RMIn0.eyJpc3MiOiJhdXRoLmRvY2tlci5jb20iLCJzdWIiOiJCQ0NZOk9VNlo6UUVKNTpXTjJDOjJBVkM6WTdZRDpBM0xZOjQ1VVc6NE9HRDpLQUxMOkNOSjU6NUlVTCIsImF1ZCI6InJlZ2lzdHJ5LmRvY2tlci5jb20iLCJleHAiOjE0MTUzODczMTUsIm5iZiI6MTQxNTM4NzAxNSwiaWF0IjoxNDE1Mzg3MDE1LCJqdGkiOiJ0WUpDTzFjNmNueXk3a0FuMGM3cktQZ2JWMUgxYkZ3cyIsInNjb3BlIjoiamxoYXduOnJlcG9zaXRvcnk6c2FtYWxiYS9teS1hcHA6cHVzaCxwdWxsIGpsaGF3bjpuYW1lc3BhY2U6c2FtYWxiYTpwdWxsIn0.Y3zZSwaZPqy4y9oRBVRImZyv3m_S9XDHF1tWwN7mL52C_IiA73SJkWVNsvNqpJIn5h7A2F8biv_S2ppQ1lgkbw

It is possible to utilize the deleted implementation of JWT https://github.com/pulp/pulpcore/commit/9df430aa7511d5a66927b2b67d02997f18a694b6. It was deleted because there was a no viable use case for the that.

References:
https://docs.docker.com/registry/spec/auth/jwt/
https://docs.docker.com/registry/spec/auth/oauth/
https://docs.docker.com/registry/spec/auth/token/
https://access.redhat.com/articles/3560571
https://steelkiwi.com/blog/jwt-authorization-python-part-1-practise/


Related issues

Related to Container Support - Story #5338: As a user I have a token server that manages a user access controlCLOSED - CURRENTRELEASE

Actions
Actions #1

Updated by ipanova@redhat.com over 5 years ago

  • Project changed from Pulp to Docker Support
Actions #2

Updated by lmjachky over 5 years ago

  • Status changed from NEW to ASSIGNED
  • Assignee set to lmjachky
Actions #3

Updated by ipanova@redhat.com over 5 years ago

  • Subject changed from As a user i can push and pull content from an authenticated Pulp registry to As a user i can pull content from an authenticated Pulp registry
  • Description updated (diff)
  • Status changed from ASSIGNED to NEW
  • Assignee deleted (lmjachky)
Actions #4

Updated by ipanova@redhat.com over 5 years ago

  • Status changed from NEW to ASSIGNED
  • Assignee set to lmjachky
Actions #5

Updated by ipanova@redhat.com over 5 years ago

  • Sprint set to Sprint 57
Actions #6

Updated by lmjachky over 5 years ago

  • Description updated (diff)
  • Groomed changed from No to Yes
Actions #7

Updated by lmjachky over 5 years ago

  • Groomed changed from Yes to No
Actions #8

Updated by lmjachky about 5 years ago

  • Related to Story #5338: As a user I have a token server that manages a user access control added
Actions #9

Updated by lmjachky about 5 years ago

  • Description updated (diff)
Actions #10

Updated by lmjachky about 5 years ago

  • Description updated (diff)
Actions #11

Updated by lmjachky about 5 years ago

  • Description updated (diff)
Actions #12

Updated by lmjachky about 5 years ago

  • Description updated (diff)
Actions #13

Updated by lmjachky about 5 years ago

  • Description updated (diff)
Actions #14

Updated by lmjachky about 5 years ago

  • Description updated (diff)
Actions #15

Updated by lmjachky about 5 years ago

  • Description updated (diff)
Actions #16

Updated by lmjachky about 5 years ago

  • Description updated (diff)
Actions #17

Updated by lmjachky about 5 years ago

  • Description updated (diff)
Actions #18

Updated by lmjachky about 5 years ago

  • Description updated (diff)
Actions #19

Updated by ipanova@redhat.com about 5 years ago

  • Description updated (diff)
  • Groomed changed from No to Yes
Actions #20

Updated by rchan about 5 years ago

  • Sprint changed from Sprint 57 to Sprint 58
Actions #21

Updated by lmjachky about 5 years ago

  • Status changed from ASSIGNED to POST
Actions #22

Updated by rchan about 5 years ago

  • Sprint changed from Sprint 58 to Sprint 59
Actions #23

Updated by rchan about 5 years ago

  • Sprint changed from Sprint 59 to Sprint 60
Actions #24

Updated by ipanova@redhat.com about 5 years ago

  • Tags Pulp 3 docker blocker added
Actions #25

Updated by rchan about 5 years ago

  • Sprint changed from Sprint 60 to Sprint 61

Added by Lubos Mjachky about 5 years ago

Revision 28ceb135 | View on GitHub

Add a support for Bearer token authentication

closes #4938 https://pulp.plan.io/issues/4938

Added by Lubos Mjachky about 5 years ago

Revision 28ceb135 | View on GitHub

Add a support for Bearer token authentication

closes #4938 https://pulp.plan.io/issues/4938

Added by Lubos Mjachky about 5 years ago

Revision 28ceb135 | View on GitHub

Add a support for Bearer token authentication

closes #4938 https://pulp.plan.io/issues/4938

Added by Lubos Mjachky about 5 years ago

Revision 28ceb135 | View on GitHub

Add a support for Bearer token authentication

closes #4938 https://pulp.plan.io/issues/4938

Actions #26

Updated by Anonymous about 5 years ago

  • Status changed from POST to MODIFIED
  • % Done changed from 0 to 100

Applied in changeset commit:pulp_docker|28ceb135340f40a67741fffc7551287774182d4f.

Actions #27

Updated by ipanova@redhat.com about 5 years ago

  • Project changed from Docker Support to Container Support
Actions #28

Updated by ipanova@redhat.com almost 5 years ago

  • Status changed from MODIFIED to CLOSED - CURRENTRELEASE
Actions #29

Updated by ipanova@redhat.com almost 5 years ago

  • Sprint/Milestone set to 1.0.0

Also available in: Atom PDF