New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add token pass-thru for AuthConfig #17741
Conversation
@docker/security what do you think about this? |
This makes a lot of sense to me. Design LGTM. |
|
Name change sounds fine to me. If nobody else speaks up, I'll update this and the related PRs to make the change. |
LGTM |
Is there a way to test this? PS: We definitely need documentation before merging it 😸 |
7fdfb90
to
1f8a78e
Compare
Unit test and API level documentation added. I wasn't sure if there was someplace better to doc it, since AuthConfig wasn't really described in any of the docs I found. |
Not sure what to make of the CI build failures - janky seems to be a GPG key download failure. The windows one is a bit harder to make heads or tails of, but I don't see anything related to my change in the log. |
Hmm... looks like the graph package just went poof - so I need to figure out where this logic needs to shift to. |
This code moved to the |
Thanks all - I've migrated my change over to the new layout, and am just running some final tests now to make sure nothing broke in the transition - I'll update the PR shortly. |
Updated based on new layout. |
LGTM |
not in docs review yet, but can you also add a note to the API changelog; https://github.com/docker/docker/blob/master/docs/reference/api/docker_remote_api.md#v122-api-changes |
LGTM (but needs a rebase, sorry @dhiltgen) |
|
||
{ | ||
"registrytoken": "9cbaf023786cd7..." | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
48d2907
to
4491b31
Compare
This change allows API clients to retrieve an authentication token from a registry, and then pass that token directly to the API. Example usage: REPO_USER=dhiltgen read -s PASSWORD REPO=privateorg/repo AUTH_URL=https://auth.docker.io/token TOKEN=$(curl -s -u "${REPO_USER}:${PASSWORD}" "${AUTH_URL}?scope=repository:${REPO}:pull&service=registry.docker.io" | jq -r ".token") HEADER=$(echo "{\"registrytoken\":\"${TOKEN}\"}"|base64 -w 0 ) curl -s -D - -H "X-Registry-Auth: ${HEADER}" -X POST "http://localhost:2376/images/create?fromImage=${REPO}" Signed-off-by: Daniel Hiltgen <daniel.hiltgen@docker.com>
Rebased and got markdown to cooperate for the code blocks. (additional indentation didn't seem to work so I resorted to the triple-back-tick) |
Thanks, @dhiltgen, markdown can be a PITA with whitespace and lists. I ran docs LGTM ping @jamtur01 @SvenDowideit @moxiegirl for review |
LGTM |
Add token pass-thru for AuthConfig
Thanks @dhiltgen! |
🎉 |
🎆 |
A little disappointing that this wasn't reviewed by anyone from the distribution team. There are few issues:
|
@stevvooe please don't comment on closed tickets In your opinion, do we need changes to this PR before 1.10? If so, I can open an issue for that. Apologies that distribution didn't fully review this |
This is one of the few cases where it's acceptable. 🐹
I have no clue. We have no proposal showing why this is needed, other solutions considered, how this will interoperate with the existing push/pull flow or how we can support this going into the future. I'd like to have seen a more expressive approach that includes exchanging a token on garant for a registry token. This would also have solved the unencrypted credentials issue. The difference being we can issue tokens that have require a higher level of protection and thus can have a longer expiry. |
} | ||
|
||
func (th *existingTokenHandler) AuthorizeRequest(req *http.Request, params map[string]string) error { | ||
req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", th.token)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
After some thought, we may need to restrict the token to a particular host. Otherwise, we risk credential leak upon redirect. Also, tokens should also be included only on https requests, unless otherwise specified.
For example, this will send the token to s3, leaking it to AWS.
This change allows API clients to retrieve an authentication token from
a registry, and then pass that token directly to the API.
Example usage:
Signed-off-by: Daniel Hiltgen daniel.hiltgen@docker.com