Actions
Issue #8045
closed
Fix the token scope for the catalog endpoint
Start date:
Due date:
Estimated time:
Severity:
2. Medium
Platform Release:
OS:
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
GalaxyNG
Sprint:
Sprint 91
Quarter:
Description
(pulp) [vagrant@pulp3-source-fedora32 _scripts]$ http GET https://registry-1.docker.io/v2/_catalog
HTTP/1.1 401 Unauthorized
Content-Length: 145
Content-Type: application/json
Date: Thu, 07 Jan 2021 13:56:38 GMT
Docker-Distribution-Api-Version: registry/2.0
Strict-Transport-Security: max-age=31536000
Www-Authenticate: Bearer realm="https://auth.docker.io/token",service="registry.docker.io",scope="registry:catalog:*"
{
"errors": [
{
"code": "UNAUTHORIZED",
"detail": [
{
"Action": "*",
"Class": "",
"Name": "catalog",
"Type": "registry"
}
],
"message": "authentication required"
}
]
}
$ http GET :24817/v2/_catalog --auth ina:goodpassword
HTTP/1.1 401 Unauthorized
Access-Control-Expose-Headers: Correlation-ID
Allow: GET, HEAD, OPTIONS
Connection: close
Content-Length: 106
Content-Type: application/json
Correlation-ID: 5f842cb112974d4ea25e35b533d8527a
Date: Thu, 07 Jan 2021 13:56:23 GMT
Docker-Distribution-Api-Version: registry/2.0
Server: gunicorn/20.0.4
Vary: Accept
WWW-Authenticate: Bearer realm="http://pulp3-source-fedora32.fluffy.example.com/token",service="localhost:24817"
X-Frame-Options: SAMEORIGIN
{
"errors": [
{
"code": "UNAUTHORIZED",
"detail": {},
"message": "Authentication credentials were not provided."
}
]
}
Actions
.
Return valid scope for the catalog endpoint
As of this commit, a fake distribution object is always created in order to enable correct access policy statements retrieval. Before this change, it was not possible to access the catalog endpoint even with the staff privileges.
closes #8045