Issue #8045
closed
Fix the token scope for the catalog endpoint
Description
(pulp) [vagrant@pulp3-source-fedora32 _scripts]$ http GET https://registry-1.docker.io/v2/_catalog
HTTP/1.1 401 Unauthorized
Content-Length: 145
Content-Type: application/json
Date: Thu, 07 Jan 2021 13:56:38 GMT
Docker-Distribution-Api-Version: registry/2.0
Strict-Transport-Security: max-age=31536000
Www-Authenticate: Bearer realm="https://auth.docker.io/token",service="registry.docker.io",scope="registry:catalog:*"
{
"errors": [
{
"code": "UNAUTHORIZED",
"detail": [
{
"Action": "*",
"Class": "",
"Name": "catalog",
"Type": "registry"
}
],
"message": "authentication required"
}
]
}
$ http GET :24817/v2/_catalog --auth ina:goodpassword
HTTP/1.1 401 Unauthorized
Access-Control-Expose-Headers: Correlation-ID
Allow: GET, HEAD, OPTIONS
Connection: close
Content-Length: 106
Content-Type: application/json
Correlation-ID: 5f842cb112974d4ea25e35b533d8527a
Date: Thu, 07 Jan 2021 13:56:23 GMT
Docker-Distribution-Api-Version: registry/2.0
Server: gunicorn/20.0.4
Vary: Accept
WWW-Authenticate: Bearer realm="http://pulp3-source-fedora32.fluffy.example.com/token",service="localhost:24817"
X-Frame-Options: SAMEORIGIN
{
"errors": [
{
"code": "UNAUTHORIZED",
"detail": {},
"message": "Authentication credentials were not provided."
}
]
}
Updated by mdellweg about 3 years ago
Is this with token_auth enabled or disabled? In your example you do not retrieve a token, and therefor are not granted access. Is this not expected behavior?
Updated by ipanova@redhat.com about 3 years ago
mdellweg wrote:
Is this with token_auth enabled or disabled? In your example you do not retrieve a token, and therefor are not granted access. Is this not expected behavior?
The problem is in what we return in the auth header. The scope is missing, therefore when the client will construct the url for the token request it will miss the 'catalog' information' scope="registry:catalog:*"
Updated by lmjachky about 3 years ago
- Status changed from NEW to ASSIGNED
- Assignee set to lmjachky
Updated by pulpbot about 3 years ago
- Status changed from ASSIGNED to POST
Updated by pulpbot about 3 years ago
Added by Lubos Mjachky about 3 years ago
Added by Lubos Mjachky about 3 years ago
Revision db229aba | View on GitHub
Return valid scope for the catalog endpoint
As of this commit, a fake distribution object is always created in order to enable correct access policy statements retrieval. Before this change, it was not possible to access the catalog endpoint even with the staff privileges.
closes #8045
Updated by Anonymous about 3 years ago
- Status changed from POST to MODIFIED
Applied in changeset db229aba549d3952745480fae092b9a7d3f97859.
Updated by pulpbot about 3 years ago
- Status changed from MODIFIED to CLOSED - CURRENTRELEASE
.
Return valid scope for the catalog endpoint
As of this commit, a fake distribution object is always created in order to enable correct access policy statements retrieval. Before this change, it was not possible to access the catalog endpoint even with the staff privileges.
closes #8045