Project

Profile

Help

Story #5796

Need a setting to disable token authentication for container registry

Added by iballou almost 2 years ago. Updated over 1 year ago.

Status:
CLOSED - CURRENTRELEASE
Priority:
Normal
Assignee:
Sprint/Milestone:
Start date:
Due date:
% Done:

100%

Estimated time:
Platform Release:
Groomed:
No
Sprint Candidate:
No
Tags:
Katello
Sprint:
Sprint 63
Quarter:

Description

We would like to disable token authentication so Katello can continue taking care of authentication itself.

Associated revisions

Revision b9f22094 View on GitHub
Added by Lubos Mjachky almost 2 years ago

Enable users to disable the token authentication

closes #5796 https://pulp.plan.io/issues/5796

Revision b9f22094 View on GitHub
Added by Lubos Mjachky almost 2 years ago

Enable users to disable the token authentication

closes #5796 https://pulp.plan.io/issues/5796

Revision be3b1782 View on GitHub
Added by Lubos Mjachky almost 2 years ago

Enable users to disable the token authentication

closes #5796 https://pulp.plan.io/issues/5796

(cherry picked from commit b9f22094ca1c9c517a774f3b450523ed46a657d7)

Revision be3b1782 View on GitHub
Added by Lubos Mjachky almost 2 years ago

Enable users to disable the token authentication

closes #5796 https://pulp.plan.io/issues/5796

(cherry picked from commit b9f22094ca1c9c517a774f3b450523ed46a657d7)

History

#1 Updated by lmjachky almost 2 years ago

I am attaching the conversation which took place a few months ago (2019-09-09) over IRC.

(03:04:06 PM) dkliban: i think we should enable token auth by default
(03:06:48 PM) lmjachky: thank you, I am going to take a look at that :)
(03:07:05 PM) lmjachky: ipanova proposed to let the token auth disabled by default
(03:07:20 PM) bherring: Ah. gotcha
(03:07:30 PM) bherring: My bad. Mis-tell.
(03:08:34 PM) ipanova: dkliban: yeah, imo it makes sense to leave this no auth by default and if it is desired additional config can be added to add token auth
(03:09:00 PM) jcalla [jcallaha@nat/redhat/x-slfvsjkbzcdajugu] entered the room.
(03:11:11 PM) dkliban: ipanova: and this turns on auth for all docker content?
(03:12:00 PM) dkliban: in file and rpm we provide content guards that enable user to turn on content protection at the distribution level
(03:12:39 PM) dkliban: i am wondering if a similar mechanism should be use here
(03:13:27 PM) ipanova: dkliban: it turns on auth on all api endpoints
(03:13:51 PM) ipanova: registry api
(03:15:12 PM) dkliban: ipanova: does the user use pulp3 rest api credentials to get a token?
(03:15:35 PM) dkliban: lmjachky: do you have docs written? perhaps i should just read those
(03:15:52 PM) ipanova: well, from docker perspective the content is not fully protected unless you have rbac, right now we give anonymous token for everyone who asked and content is available to everyone who has anonymous token produced and signed by our registry token server
(03:16:15 PM) dkliban: cool
(03:16:50 PM) ipanova: there is no distinction - i have access to busybox but not to hello-world, i whether have access to both of them or none
(03:16:57 PM) dkliban: yeah
(03:18:11 PM) ipanova: so you think it will be beneficial to enable this by default? i have not string feelings about this
(03:18:29 PM) dkliban: docker clients are designed to work with this
(03:18:37 PM) ipanova: dkliban: i don't think user uses pulp3 rest-api credentials to get the token
(03:18:54 PM) dkliban: that's my understanding also
(03:19:05 PM) dkliban: right now you just get a token if yo uask for it
(03:19:12 PM) ipanova: yeah
(03:19:38 PM) dkliban: so i think we should just enable it by default
(03:19:56 PM) dkliban: because the client will be able to use it
(03:20:22 PM) dkliban: and in the future when we add rbac, the token retrieval endpoint will ask for some kind of crednetials
(03:20:31 PM) dkliban: depending on what kind of auth backend is connected
(03:24:52 PM) ipanova: also another reason i thought not to enable auth by default was that i have seen other registries that have no auth, like fedora registry, for example
(03:25:14 PM) lmjachky: dkliban: yes, https://github.com/pulp/pulp_docker/pull/412/files#diff-76c460da6b178be6b7501110986f861bR1
(03:25:15 PM) ipanova: but i agree when adding rbac it would be smoother transition
(04:17:09 PM) lmjachky: so, the token authentication has to be enabled
(04:17:11 PM) lmjachky: ?
(04:17:19 PM) ipanova: let's make token auth as default auth dkliban lmjachky
(04:17:27 PM) ipanova: jsherrill: fyi ^
(04:17:48 PM) ipanova: any thoughts on this?

#2 Updated by ipanova@redhat.com almost 2 years ago

We should add a setting in settings.py that will explicitly disable token_auth. For example:

TOKEN_AUTH_DISABLED=True presence of this setting, and being set to True would not trigger any token generation and respectively token verification. Presence of the rest of the settings like token_server, token_alg and private/public keys would not be required, and if present, then ignored.

If the setting is present and set to False, or completely missing - we fall back to our default behaviour, where token auth is enabled by default and token_server, token_alg and private/public keys become required.

#3 Updated by ipanova@redhat.com almost 2 years ago

  • Sprint set to Sprint 62

#4 Updated by rchan almost 2 years ago

  • Sprint changed from Sprint 62 to Sprint 63

#5 Updated by lmjachky almost 2 years ago

  • Status changed from NEW to ASSIGNED
  • Assignee set to lmjachky

#6 Updated by lmjachky almost 2 years ago

  • Status changed from ASSIGNED to POST

#7 Updated by ipanova@redhat.com almost 2 years ago

  • Tracker changed from Issue to Story
  • % Done set to 0

#8 Updated by ipanova@redhat.com almost 2 years ago

  • Status changed from POST to MODIFIED

#9 Updated by Anonymous almost 2 years ago

  • % Done changed from 0 to 100

#10 Updated by ipanova@redhat.com almost 2 years ago

  • Status changed from MODIFIED to CLOSED - CURRENTRELEASE

#11 Updated by ipanova@redhat.com almost 2 years ago

  • Sprint/Milestone set to 1.0.0

#12 Updated by ggainey over 1 year ago

  • Tags Katello added
  • Tags deleted (Katello-P2)

Please register to edit this issue

Also available in: Atom PDF