Project

Profile

Help

Issue #8045

Fix the token scope for the catalog endpoint

Added by ipanova@redhat.com about 2 months ago. Updated 10 days ago.

Status:
MODIFIED
Priority:
Normal
Assignee:
Sprint/Milestone:
Start date:
Due date:
Estimated time:
Severity:
2. Medium
Platform Release:
OS:
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
GalaxyNG
Sprint:
Sprint 91
Quarter:

Description

(pulp) [vagrant@pulp3-source-fedora32 _scripts]$ http GET https://registry-1.docker.io/v2/_catalog
HTTP/1.1 401 Unauthorized
Content-Length: 145
Content-Type: application/json
Date: Thu, 07 Jan 2021 13:56:38 GMT
Docker-Distribution-Api-Version: registry/2.0
Strict-Transport-Security: max-age=31536000
Www-Authenticate: Bearer realm="https://auth.docker.io/token",service="registry.docker.io",scope="registry:catalog:*"

{
    "errors": [
        {
            "code": "UNAUTHORIZED",
            "detail": [
                {
                    "Action": "*",
                    "Class": "",
                    "Name": "catalog",
                    "Type": "registry"
                }
            ],
            "message": "authentication required"
        }
    ]
}

$ http GET :24817/v2/_catalog --auth ina:goodpassword
HTTP/1.1 401 Unauthorized
Access-Control-Expose-Headers: Correlation-ID
Allow: GET, HEAD, OPTIONS
Connection: close
Content-Length: 106
Content-Type: application/json
Correlation-ID: 5f842cb112974d4ea25e35b533d8527a
Date: Thu, 07 Jan 2021 13:56:23 GMT
Docker-Distribution-Api-Version: registry/2.0
Server: gunicorn/20.0.4
Vary: Accept
WWW-Authenticate: Bearer realm="http://pulp3-source-fedora32.fluffy.example.com/token",service="localhost:24817"
X-Frame-Options: SAMEORIGIN

{
    "errors": [
        {
            "code": "UNAUTHORIZED",
            "detail": {},
            "message": "Authentication credentials were not provided."
        }
    ]
}


Associated revisions

Revision db229aba View on GitHub
Added by Lubos Mjachky 10 days ago

Return valid scope for the catalog endpoint

As of this commit, a fake distribution object is always created in order to enable correct access policy statements retrieval. Before this change, it was not possible to access the catalog endpoint even with the staff privileges.

closes #8045

History

#1 Updated by ipanova@redhat.com about 2 months ago

  • Description updated (diff)

#2 Updated by ipanova@redhat.com about 2 months ago

  • Sprint/Milestone set to 2.4.0

#3 Updated by mdellweg about 1 month ago

Is this with token_auth enabled or disabled? In your example you do not retrieve a token, and therefor are not granted access. Is this not expected behavior?

#4 Updated by ipanova@redhat.com about 1 month ago

mdellweg wrote:

Is this with token_auth enabled or disabled? In your example you do not retrieve a token, and therefor are not granted access. Is this not expected behavior?

The problem is in what we return in the auth header. The scope is missing, therefore when the client will construct the url for the token request it will miss the 'catalog' information' scope="registry:catalog:*"

#5 Updated by lmjachky 27 days ago

  • Status changed from NEW to ASSIGNED
  • Assignee set to lmjachky

#6 Updated by pulpbot 27 days ago

  • Status changed from ASSIGNED to POST

#8 Updated by ipanova@redhat.com 18 days ago

  • Triaged changed from No to Yes

#9 Updated by ipanova@redhat.com 17 days ago

  • Tags GalaxyNG added

#10 Updated by ipanova@redhat.com 16 days ago

  • Sprint set to Sprint 90

#11 Updated by rchan 14 days ago

  • Sprint changed from Sprint 90 to Sprint 91

#12 Updated by Anonymous 10 days ago

  • Status changed from POST to MODIFIED

Please register to edit this issue

Also available in: Atom PDF