Story #4938
Updated by lmjachky over 5 years ago
We need to add auth mechanism to Pulp registry - basic or token based.
This ticket will be complete when a token based auth mechanism will be added.
Basic auth mechanism will be solved in a separate ticket.
----------------------------------------------------------------------------------
1. Create a separate endpoint for accessing a token server. It might be something similar to "https://auth.docker.io/token". An HTTP GET request for the token server will be created when a registry requires authorization.
2. The server has to maintain a record of authorized users within different scopes. At first, a client needs to log in (send an HTTP GET request) with credentials provided in a request header. "As of Docker 1.8, the registry client in the Docker Engine only supports Basic Authentication to these token servers."
For example, a user/docker daemon can execute the following command in order to accomplish the authentication:
<pre><code class="text">
curl -Lv -u <username>:<password> "https://sso.redhat.com/auth/realms/rhcc/protocol/redhat-docker-v2/auth?service=docker-registry&client_id=curl&scope=repository:rhel:pull"
</code></pre>
3. If the user is attempting to access a permitted scope, the token server generates an implementation specific token and returns it in a response.
<pre><code class="text">
HTTP/1.1 200 OK
Content-Type: application/json
{"token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiIsImtpZCI6IlBZWU86VEVXVTpWN0pIOjI2SlY6QVFUWjpMSkMzOlNYVko6WEdIQTozNEYyOjJMQVE6WlJNSzpaN1E2In0.eyJpc3MiOiJhdXRoLmRvY2tlci5jb20iLCJzdWIiOiJqbGhhd24iLCJhdWQiOiJyZWdpc3RyeS5kb2NrZXIuY29tIiwiZXhwIjoxNDE1Mzg3MzE1LCJuYmYiOjE0MTUzODcwMTUsImlhdCI6MTQxNTM4NzAxNSwianRpIjoidFlKQ08xYzZjbnl5N2tBbjBjN3JLUGdiVjFIMWJGd3MiLCJhY2Nlc3MiOlt7InR5cGUiOiJyZXBvc2l0b3J5IiwibmFtZSI6InNhbWFsYmEvbXktYXBwIiwiYWN0aW9ucyI6WyJwdXNoIl19XX0.QhflHPfbd6eVF4lM9bwYpFZIV0PfikbyXuLx959ykRTBpe3CYnzs6YBK8FToVb5R47920PVLrh8zuLzdCr9t3w", "expires_in": 3600,"issued_at": "2009-11-10T23:00:00Z"}
</code></pre>
The generated token will be used by a client in subsequent requests. The registry will proceed further with authenticated pull/push calls along with the bearer token.
<pre><code class="text">
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiIsImtpZCI6IkJWM0Q6MkFWWjpVQjVaOktJQVA6SU5QTDo1RU42Ok40SjQ6Nk1XTzpEUktFOkJWUUs6M0ZKTDpQT1RMIn0.eyJpc3MiOiJhdXRoLmRvY2tlci5jb20iLCJzdWIiOiJCQ0NZOk9VNlo6UUVKNTpXTjJDOjJBVkM6WTdZRDpBM0xZOjQ1VVc6NE9HRDpLQUxMOkNOSjU6NUlVTCIsImF1ZCI6InJlZ2lzdHJ5LmRvY2tlci5jb20iLCJleHAiOjE0MTUzODczMTUsIm5iZiI6MTQxNTM4NzAxNSwiaWF0IjoxNDE1Mzg3MDE1LCJqdGkiOiJ0WUpDTzFjNmNueXk3a0FuMGM3cktQZ2JWMUgxYkZ3cyIsInNjb3BlIjoiamxoYXduOnJlcG9zaXRvcnk6c2FtYWxiYS9teS1hcHA6cHVzaCxwdWxsIGpsaGF3bjpuYW1lc3BhY2U6c2FtYWxiYTpwdWxsIn0.Y3zZSwaZPqy4y9oRBVRImZyv3m_S9XDHF1tWwN7mL52C_IiA73SJkWVNsvNqpJIn5h7A2F8biv_S2ppQ1lgkbw
</code></pre>
* We can implement exactly the same behavior as it is described in the authentication scheme https://docs.docker.com/registry/spec/auth/token/. I am not sure if a docker daemon can send authorization requests automatically or it is managed by a client himself. We still only need to check user's permissions and generate a bearer token according to that.
References:
https://docs.docker.com/registry/spec/auth/jwt/
https://docs.docker.com/registry/spec/auth/oauth/
https://docs.docker.com/registry/spec/auth/token/
https://access.redhat.com/articles/3560571
.