Need a setting to disable token authentication for container registry
We would like to disable token authentication so Katello can continue taking care of authentication itself.
Updated by lmjachky almost 4 years ago
I am attaching the conversation which took place a few months ago (2019-09-09) over IRC.
(03:04:06 PM) dkliban: i think we should enable token auth by default (03:06:48 PM) lmjachky: thank you, I am going to take a look at that :) (03:07:05 PM) lmjachky: ipanova proposed to let the token auth disabled by default (03:07:20 PM) bherring: Ah. gotcha (03:07:30 PM) bherring: My bad. Mis-tell. (03:08:34 PM) ipanova: dkliban: yeah, imo it makes sense to leave this no auth by default and if it is desired additional config can be added to add token auth (03:09:00 PM) jcalla [jcallaha@nat/redhat/x-slfvsjkbzcdajugu] entered the room. (03:11:11 PM) dkliban: ipanova: and this turns on auth for all docker content? (03:12:00 PM) dkliban: in file and rpm we provide content guards that enable user to turn on content protection at the distribution level (03:12:39 PM) dkliban: i am wondering if a similar mechanism should be use here (03:13:27 PM) ipanova: dkliban: it turns on auth on all api endpoints (03:13:51 PM) ipanova: registry api (03:15:12 PM) dkliban: ipanova: does the user use pulp3 rest api credentials to get a token? (03:15:35 PM) dkliban: lmjachky: do you have docs written? perhaps i should just read those (03:15:52 PM) ipanova: well, from docker perspective the content is not fully protected unless you have rbac, right now we give anonymous token for everyone who asked and content is available to everyone who has anonymous token produced and signed by our registry token server (03:16:15 PM) dkliban: cool (03:16:50 PM) ipanova: there is no distinction - i have access to busybox but not to hello-world, i whether have access to both of them or none (03:16:57 PM) dkliban: yeah (03:18:11 PM) ipanova: so you think it will be beneficial to enable this by default? i have not string feelings about this (03:18:29 PM) dkliban: docker clients are designed to work with this (03:18:37 PM) ipanova: dkliban: i don't think user uses pulp3 rest-api credentials to get the token (03:18:54 PM) dkliban: that's my understanding also (03:19:05 PM) dkliban: right now you just get a token if yo uask for it (03:19:12 PM) ipanova: yeah (03:19:38 PM) dkliban: so i think we should just enable it by default (03:19:56 PM) dkliban: because the client will be able to use it (03:20:22 PM) dkliban: and in the future when we add rbac, the token retrieval endpoint will ask for some kind of crednetials (03:20:31 PM) dkliban: depending on what kind of auth backend is connected (03:24:52 PM) ipanova: also another reason i thought not to enable auth by default was that i have seen other registries that have no auth, like fedora registry, for example (03:25:14 PM) lmjachky: dkliban: yes, https://github.com/pulp/pulp_docker/pull/412/files#diff-76c460da6b178be6b7501110986f861bR1 (03:25:15 PM) ipanova: but i agree when adding rbac it would be smoother transition (04:17:09 PM) lmjachky: so, the token authentication has to be enabled (04:17:11 PM) lmjachky: ? (04:17:19 PM) ipanova: let's make token auth as default auth dkliban lmjachky (04:17:27 PM) ipanova: jsherrill: fyi ^ (04:17:48 PM) ipanova: any thoughts on this?
Updated by firstname.lastname@example.org almost 4 years ago
We should add a setting in settings.py that will explicitly disable token_auth. For example:
TOKEN_AUTH_DISABLED=True presence of this setting, and being set to True would not trigger any token generation and respectively token verification. Presence of the rest of the settings like token_server, token_alg and private/public keys would not be required, and if present, then ignored.
If the setting is present and set to False, or completely missing - we fall back to our default behaviour, where token auth is enabled by default and token_server, token_alg and private/public keys become required.