Story #5796
closedNeed a setting to disable token authentication for container registry
100%
Description
We would like to disable token authentication so Katello can continue taking care of authentication itself.
Updated by lmjachky about 5 years ago
I am attaching the conversation which took place a few months ago (2019-09-09) over IRC.
(03:04:06 PM) dkliban: i think we should enable token auth by default
(03:06:48 PM) lmjachky: thank you, I am going to take a look at that :)
(03:07:05 PM) lmjachky: ipanova proposed to let the token auth disabled by default
(03:07:20 PM) bherring: Ah. gotcha
(03:07:30 PM) bherring: My bad. Mis-tell.
(03:08:34 PM) ipanova: dkliban: yeah, imo it makes sense to leave this no auth by default and if it is desired additional config can be added to add token auth
(03:09:00 PM) jcalla [jcallaha@nat/redhat/x-slfvsjkbzcdajugu] entered the room.
(03:11:11 PM) dkliban: ipanova: and this turns on auth for all docker content?
(03:12:00 PM) dkliban: in file and rpm we provide content guards that enable user to turn on content protection at the distribution level
(03:12:39 PM) dkliban: i am wondering if a similar mechanism should be use here
(03:13:27 PM) ipanova: dkliban: it turns on auth on all api endpoints
(03:13:51 PM) ipanova: registry api
(03:15:12 PM) dkliban: ipanova: does the user use pulp3 rest api credentials to get a token?
(03:15:35 PM) dkliban: lmjachky: do you have docs written? perhaps i should just read those
(03:15:52 PM) ipanova: well, from docker perspective the content is not fully protected unless you have rbac, right now we give anonymous token for everyone who asked and content is available to everyone who has anonymous token produced and signed by our registry token server
(03:16:15 PM) dkliban: cool
(03:16:50 PM) ipanova: there is no distinction - i have access to busybox but not to hello-world, i whether have access to both of them or none
(03:16:57 PM) dkliban: yeah
(03:18:11 PM) ipanova: so you think it will be beneficial to enable this by default? i have not string feelings about this
(03:18:29 PM) dkliban: docker clients are designed to work with this
(03:18:37 PM) ipanova: dkliban: i don't think user uses pulp3 rest-api credentials to get the token
(03:18:54 PM) dkliban: that's my understanding also
(03:19:05 PM) dkliban: right now you just get a token if yo uask for it
(03:19:12 PM) ipanova: yeah
(03:19:38 PM) dkliban: so i think we should just enable it by default
(03:19:56 PM) dkliban: because the client will be able to use it
(03:20:22 PM) dkliban: and in the future when we add rbac, the token retrieval endpoint will ask for some kind of crednetials
(03:20:31 PM) dkliban: depending on what kind of auth backend is connected
(03:24:52 PM) ipanova: also another reason i thought not to enable auth by default was that i have seen other registries that have no auth, like fedora registry, for example
(03:25:14 PM) lmjachky: dkliban: yes, https://github.com/pulp/pulp_docker/pull/412/files#diff-76c460da6b178be6b7501110986f861bR1
(03:25:15 PM) ipanova: but i agree when adding rbac it would be smoother transition
(04:17:09 PM) lmjachky: so, the token authentication has to be enabled
(04:17:11 PM) lmjachky: ?
(04:17:19 PM) ipanova: let's make token auth as default auth dkliban lmjachky
(04:17:27 PM) ipanova: jsherrill: fyi ^
(04:17:48 PM) ipanova: any thoughts on this?
Updated by ipanova@redhat.com about 5 years ago
We should add a setting in settings.py that will explicitly disable token_auth. For example:
TOKEN_AUTH_DISABLED=True presence of this setting, and being set to True would not trigger any token generation and respectively token verification. Presence of the rest of the settings like token_server, token_alg and private/public keys would not be required, and if present, then ignored.
If the setting is present and set to False, or completely missing - we fall back to our default behaviour, where token auth is enabled by default and token_server, token_alg and private/public keys become required.
Updated by lmjachky about 5 years ago
- Status changed from NEW to ASSIGNED
- Assignee set to lmjachky
Added by Lubos Mjachky about 5 years ago
Added by Lubos Mjachky about 5 years ago
Revision b9f22094 | View on GitHub
Enable users to disable the token authentication
Updated by lmjachky about 5 years ago
- Status changed from ASSIGNED to POST
Updated by ipanova@redhat.com about 5 years ago
- Tracker changed from Issue to Story
- % Done set to 0
Updated by ipanova@redhat.com about 5 years ago
- Status changed from POST to MODIFIED
Added by Lubos Mjachky about 5 years ago
Revision be3b1782 | View on GitHub
Enable users to disable the token authentication
closes #5796 https://pulp.plan.io/issues/5796
(cherry picked from commit b9f22094ca1c9c517a774f3b450523ed46a657d7)
Added by Lubos Mjachky about 5 years ago
Revision be3b1782 | View on GitHub
Enable users to disable the token authentication
closes #5796 https://pulp.plan.io/issues/5796
(cherry picked from commit b9f22094ca1c9c517a774f3b450523ed46a657d7)
Updated by Anonymous about 5 years ago
- % Done changed from 0 to 100
Applied in changeset be3b1782142efb666f0a4cdfed6462617355f3e3.
Updated by ipanova@redhat.com about 5 years ago
- Status changed from MODIFIED to CLOSED - CURRENTRELEASE
Updated by ggainey over 4 years ago
- Tags Katello added
- Tags deleted (
Katello-P2)
Enable users to disable the token authentication
closes #5796 https://pulp.plan.io/issues/5796