Project

Profile

Help

Story #5796

closed

Need a setting to disable token authentication for container registry

Added by iballou about 3 years ago. Updated over 2 years ago.

Status:
CLOSED - CURRENTRELEASE
Priority:
Normal
Assignee:
Sprint/Milestone:
Start date:
Due date:
% Done:

100%

Estimated time:
Platform Release:
Groomed:
No
Sprint Candidate:
No
Tags:
Katello
Sprint:
Sprint 63
Quarter:

Description

We would like to disable token authentication so Katello can continue taking care of authentication itself.

Actions #1

Updated by lmjachky about 3 years ago

I am attaching the conversation which took place a few months ago (2019-09-09) over IRC.

(03:04:06 PM) dkliban: i think we should enable token auth by default
(03:06:48 PM) lmjachky: thank you, I am going to take a look at that :)
(03:07:05 PM) lmjachky: ipanova proposed to let the token auth disabled by default
(03:07:20 PM) bherring: Ah. gotcha
(03:07:30 PM) bherring: My bad. Mis-tell.
(03:08:34 PM) ipanova: dkliban: yeah, imo it makes sense to leave this no auth by default and if it is desired additional config can be added to add token auth
(03:09:00 PM) jcalla [jcallaha@nat/redhat/x-slfvsjkbzcdajugu] entered the room.
(03:11:11 PM) dkliban: ipanova: and this turns on auth for all docker content?
(03:12:00 PM) dkliban: in file and rpm we provide content guards that enable user to turn on content protection at the distribution level
(03:12:39 PM) dkliban: i am wondering if a similar mechanism should be use here
(03:13:27 PM) ipanova: dkliban: it turns on auth on all api endpoints
(03:13:51 PM) ipanova: registry api
(03:15:12 PM) dkliban: ipanova: does the user use pulp3 rest api credentials to get a token?
(03:15:35 PM) dkliban: lmjachky: do you have docs written? perhaps i should just read those
(03:15:52 PM) ipanova: well, from docker perspective the content is not fully protected unless you have rbac, right now we give anonymous token for everyone who asked and content is available to everyone who has anonymous token produced and signed by our registry token server
(03:16:15 PM) dkliban: cool
(03:16:50 PM) ipanova: there is no distinction - i have access to busybox but not to hello-world, i whether have access to both of them or none
(03:16:57 PM) dkliban: yeah
(03:18:11 PM) ipanova: so you think it will be beneficial to enable this by default? i have not string feelings about this
(03:18:29 PM) dkliban: docker clients are designed to work with this
(03:18:37 PM) ipanova: dkliban: i don't think user uses pulp3 rest-api credentials to get the token
(03:18:54 PM) dkliban: that's my understanding also
(03:19:05 PM) dkliban: right now you just get a token if yo uask for it
(03:19:12 PM) ipanova: yeah
(03:19:38 PM) dkliban: so i think we should just enable it by default
(03:19:56 PM) dkliban: because the client will be able to use it
(03:20:22 PM) dkliban: and in the future when we add rbac, the token retrieval endpoint will ask for some kind of crednetials
(03:20:31 PM) dkliban: depending on what kind of auth backend is connected
(03:24:52 PM) ipanova: also another reason i thought not to enable auth by default was that i have seen other registries that have no auth, like fedora registry, for example
(03:25:14 PM) lmjachky: dkliban: yes, https://github.com/pulp/pulp_docker/pull/412/files#diff-76c460da6b178be6b7501110986f861bR1
(03:25:15 PM) ipanova: but i agree when adding rbac it would be smoother transition
(04:17:09 PM) lmjachky: so, the token authentication has to be enabled
(04:17:11 PM) lmjachky: ?
(04:17:19 PM) ipanova: let's make token auth as default auth dkliban lmjachky
(04:17:27 PM) ipanova: jsherrill: fyi ^
(04:17:48 PM) ipanova: any thoughts on this?
Actions #2

Updated by ipanova@redhat.com about 3 years ago

We should add a setting in settings.py that will explicitly disable token_auth. For example:

TOKEN_AUTH_DISABLED=True presence of this setting, and being set to True would not trigger any token generation and respectively token verification. Presence of the rest of the settings like token_server, token_alg and private/public keys would not be required, and if present, then ignored.

If the setting is present and set to False, or completely missing - we fall back to our default behaviour, where token auth is enabled by default and token_server, token_alg and private/public keys become required.

Actions #3

Updated by ipanova@redhat.com about 3 years ago

  • Sprint set to Sprint 62
Actions #4

Updated by rchan about 3 years ago

  • Sprint changed from Sprint 62 to Sprint 63
Actions #5

Updated by lmjachky about 3 years ago

  • Status changed from NEW to ASSIGNED
  • Assignee set to lmjachky

Added by Lubos Mjachky about 3 years ago

Revision b9f22094

Enable users to disable the token authentication

closes #5796 https://pulp.plan.io/issues/5796

Added by Lubos Mjachky about 3 years ago

Revision b9f22094

Enable users to disable the token authentication

closes #5796 https://pulp.plan.io/issues/5796

Actions #6

Updated by lmjachky about 3 years ago

  • Status changed from ASSIGNED to POST
Actions #7

Updated by ipanova@redhat.com about 3 years ago

  • Tracker changed from Issue to Story
  • % Done set to 0
Actions #8

Updated by ipanova@redhat.com about 3 years ago

  • Status changed from POST to MODIFIED

Added by Lubos Mjachky about 3 years ago

Revision be3b1782

Enable users to disable the token authentication

closes #5796 https://pulp.plan.io/issues/5796

(cherry picked from commit b9f22094ca1c9c517a774f3b450523ed46a657d7)

Added by Lubos Mjachky about 3 years ago

Revision be3b1782

Enable users to disable the token authentication

closes #5796 https://pulp.plan.io/issues/5796

(cherry picked from commit b9f22094ca1c9c517a774f3b450523ed46a657d7)

Actions #9

Updated by Anonymous about 3 years ago

  • % Done changed from 0 to 100
Actions #10

Updated by ipanova@redhat.com about 3 years ago

  • Status changed from MODIFIED to CLOSED - CURRENTRELEASE
Actions #11

Updated by ipanova@redhat.com about 3 years ago

  • Sprint/Milestone set to 1.0.0
Actions #12

Updated by ggainey over 2 years ago

  • Tags Katello added
  • Tags deleted (Katello-P2)

Also available in: Atom PDF