Project

Profile

Help

Issue #8045

closed

Fix the token scope for the catalog endpoint

Added by ipanova@redhat.com almost 4 years ago. Updated almost 4 years ago.

Status:
CLOSED - CURRENTRELEASE
Priority:
Normal
Assignee:
Sprint/Milestone:
Start date:
Due date:
Estimated time:
Severity:
2. Medium
Platform Release:
OS:
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
GalaxyNG
Sprint:
Sprint 91
Quarter:

Description

(pulp) [vagrant@pulp3-source-fedora32 _scripts]$ http GET https://registry-1.docker.io/v2/_catalog
HTTP/1.1 401 Unauthorized
Content-Length: 145
Content-Type: application/json
Date: Thu, 07 Jan 2021 13:56:38 GMT
Docker-Distribution-Api-Version: registry/2.0
Strict-Transport-Security: max-age=31536000
Www-Authenticate: Bearer realm="https://auth.docker.io/token",service="registry.docker.io",scope="registry:catalog:*"

{
    "errors": [
        {
            "code": "UNAUTHORIZED",
            "detail": [
                {
                    "Action": "*",
                    "Class": "",
                    "Name": "catalog",
                    "Type": "registry"
                }
            ],
            "message": "authentication required"
        }
    ]
}

$ http GET :24817/v2/_catalog --auth ina:goodpassword
HTTP/1.1 401 Unauthorized
Access-Control-Expose-Headers: Correlation-ID
Allow: GET, HEAD, OPTIONS
Connection: close
Content-Length: 106
Content-Type: application/json
Correlation-ID: 5f842cb112974d4ea25e35b533d8527a
Date: Thu, 07 Jan 2021 13:56:23 GMT
Docker-Distribution-Api-Version: registry/2.0
Server: gunicorn/20.0.4
Vary: Accept
WWW-Authenticate: Bearer realm="http://pulp3-source-fedora32.fluffy.example.com/token",service="localhost:24817"
X-Frame-Options: SAMEORIGIN

{
    "errors": [
        {
            "code": "UNAUTHORIZED",
            "detail": {},
            "message": "Authentication credentials were not provided."
        }
    ]
}


Actions #1

Updated by ipanova@redhat.com almost 4 years ago

  • Description updated (diff)
Actions #2

Updated by ipanova@redhat.com almost 4 years ago

  • Sprint/Milestone set to 2.4.0
Actions #3

Updated by mdellweg almost 4 years ago

Is this with token_auth enabled or disabled? In your example you do not retrieve a token, and therefor are not granted access. Is this not expected behavior?

Actions #4

Updated by ipanova@redhat.com almost 4 years ago

mdellweg wrote:

Is this with token_auth enabled or disabled? In your example you do not retrieve a token, and therefor are not granted access. Is this not expected behavior?

The problem is in what we return in the auth header. The scope is missing, therefore when the client will construct the url for the token request it will miss the 'catalog' information' scope="registry:catalog:*"

Actions #5

Updated by lmjachky almost 4 years ago

  • Status changed from NEW to ASSIGNED
  • Assignee set to lmjachky
Actions #6

Updated by pulpbot almost 4 years ago

  • Status changed from ASSIGNED to POST
Actions #8

Updated by ipanova@redhat.com almost 4 years ago

  • Triaged changed from No to Yes
Actions #9

Updated by ipanova@redhat.com almost 4 years ago

  • Tags GalaxyNG added
Actions #10

Updated by ipanova@redhat.com almost 4 years ago

  • Sprint set to Sprint 90
Actions #11

Updated by rchan almost 4 years ago

  • Sprint changed from Sprint 90 to Sprint 91

Added by Lubos Mjachky almost 4 years ago

Revision db229aba | View on GitHub

Return valid scope for the catalog endpoint

As of this commit, a fake distribution object is always created in order to enable correct access policy statements retrieval. Before this change, it was not possible to access the catalog endpoint even with the staff privileges.

closes #8045

Added by Lubos Mjachky almost 4 years ago

Revision db229aba | View on GitHub

Return valid scope for the catalog endpoint

As of this commit, a fake distribution object is always created in order to enable correct access policy statements retrieval. Before this change, it was not possible to access the catalog endpoint even with the staff privileges.

closes #8045

Actions #12

Updated by Anonymous almost 4 years ago

  • Status changed from POST to MODIFIED
Actions #13

Updated by pulpbot almost 4 years ago

  • Status changed from MODIFIED to CLOSED - CURRENTRELEASE

Also available in: Atom PDF