Project

Profile

Help

Issue #8045

closed

Fix the token scope for the catalog endpoint

Added by ipanova@redhat.com over 1 year ago. Updated over 1 year ago.

Status:
CLOSED - CURRENTRELEASE
Priority:
Normal
Assignee:
Sprint/Milestone:
Start date:
Due date:
Estimated time:
Severity:
2. Medium
Platform Release:
OS:
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
GalaxyNG
Sprint:
Sprint 91
Quarter:

Description

(pulp) [vagrant@pulp3-source-fedora32 _scripts]$ http GET https://registry-1.docker.io/v2/_catalog
HTTP/1.1 401 Unauthorized
Content-Length: 145
Content-Type: application/json
Date: Thu, 07 Jan 2021 13:56:38 GMT
Docker-Distribution-Api-Version: registry/2.0
Strict-Transport-Security: max-age=31536000
Www-Authenticate: Bearer realm="https://auth.docker.io/token",service="registry.docker.io",scope="registry:catalog:*"

{
    "errors": [
        {
            "code": "UNAUTHORIZED",
            "detail": [
                {
                    "Action": "*",
                    "Class": "",
                    "Name": "catalog",
                    "Type": "registry"
                }
            ],
            "message": "authentication required"
        }
    ]
}

$ http GET :24817/v2/_catalog --auth ina:goodpassword
HTTP/1.1 401 Unauthorized
Access-Control-Expose-Headers: Correlation-ID
Allow: GET, HEAD, OPTIONS
Connection: close
Content-Length: 106
Content-Type: application/json
Correlation-ID: 5f842cb112974d4ea25e35b533d8527a
Date: Thu, 07 Jan 2021 13:56:23 GMT
Docker-Distribution-Api-Version: registry/2.0
Server: gunicorn/20.0.4
Vary: Accept
WWW-Authenticate: Bearer realm="http://pulp3-source-fedora32.fluffy.example.com/token",service="localhost:24817"
X-Frame-Options: SAMEORIGIN

{
    "errors": [
        {
            "code": "UNAUTHORIZED",
            "detail": {},
            "message": "Authentication credentials were not provided."
        }
    ]
}


Actions #1

Updated by ipanova@redhat.com over 1 year ago

  • Description updated (diff)
Actions #2

Updated by ipanova@redhat.com over 1 year ago

  • Sprint/Milestone set to 2.4.0
Actions #3

Updated by mdellweg over 1 year ago

Is this with token_auth enabled or disabled? In your example you do not retrieve a token, and therefor are not granted access. Is this not expected behavior?

Actions #4

Updated by ipanova@redhat.com over 1 year ago

mdellweg wrote:

Is this with token_auth enabled or disabled? In your example you do not retrieve a token, and therefor are not granted access. Is this not expected behavior?

The problem is in what we return in the auth header. The scope is missing, therefore when the client will construct the url for the token request it will miss the 'catalog' information' scope="registry:catalog:*"

Actions #5

Updated by lmjachky over 1 year ago

  • Status changed from NEW to ASSIGNED
  • Assignee set to lmjachky
Actions #6

Updated by pulpbot over 1 year ago

  • Status changed from ASSIGNED to POST
Actions #8

Updated by ipanova@redhat.com over 1 year ago

  • Triaged changed from No to Yes
Actions #9

Updated by ipanova@redhat.com over 1 year ago

  • Tags GalaxyNG added
Actions #10

Updated by ipanova@redhat.com over 1 year ago

  • Sprint set to Sprint 90
Actions #11

Updated by rchan over 1 year ago

  • Sprint changed from Sprint 90 to Sprint 91

Added by Lubos Mjachky over 1 year ago

Revision db229aba

Return valid scope for the catalog endpoint

As of this commit, a fake distribution object is always created in order to enable correct access policy statements retrieval. Before this change, it was not possible to access the catalog endpoint even with the staff privileges.

closes #8045

Added by Lubos Mjachky over 1 year ago

Revision db229aba

Return valid scope for the catalog endpoint

As of this commit, a fake distribution object is always created in order to enable correct access policy statements retrieval. Before this change, it was not possible to access the catalog endpoint even with the staff privileges.

closes #8045

Actions #12

Updated by Anonymous over 1 year ago

  • Status changed from POST to MODIFIED
Actions #13

Updated by pulpbot over 1 year ago

  • Status changed from MODIFIED to CLOSED - CURRENTRELEASE

Also available in: Atom PDF