Skip to content

Home

Jump to bottom
Messinger edited this page Jan 13, 2018 · 6 revisions

Welcome to the docker-redmine-auth!

Docker registry v2 has a nice API authenticate against external auth providers. But for now there is no (public?) provider implementation using a Redmine installation as source.

Installation & Usage

Requirements

  1. a server certificate with a public and private key pair
  2. a working redmine service installation or gitlab. You don't need access as administrator to this!
  3. if not running from prebuild docker container a working rails4 environment.

User / Password

  1. If authenticating against redmine, you may use username/password.
  2. If authenticating against gitlab, you must use a private token with api-access. The given username is ignored or may be empty (the docker-repository wants a username and send it to the authenticator)

Username/Password auth with gitlab isn't possible anymore.

Installation from source

  1. Clone the repository
  2. I prefer using RVM, in this case copy .ruby-version.example to .ruby-version and ensure RVM loads the correct environment. Of course you may set it to a ruby version you prefer as long it is ruby 2.x
  3. Run bundle install
  4. Copy config/settings.yml.example to config/settings.yml and edit settings. Very important: Use correct docker_issuer value! It must match issuer in ssl-certificate and issuer entry in docker-registry config file. Ensure you use the correct ssl-certificate and keys. Key must contain both public and private part!
  5. Run RAILS_ENV=production bundle exec rake db:migrate
  6. Start with RAILS_ENV=production rails s.

You should access this service via ssl only! Even with builtin ssl-support or via reverse-proxy setting of nginx or apache (or with Phusion Passenger.

Using prebuild docker image

Take a look into the docker-compose.yml or download it and modify it for your needs. Ensure you mount the ssl-certifcate, ssl-key and settings.yml from and to the correct place! Start with docker-compose up

Testing

Connect with a RESTfull client (for instance Advanced restclient in google chrome) to https://example.org/auth or https://example.org/auth.json. (replace example.org with your own servername) Simple webbrowser will work, too. Now you're asked for a credentials - use your redmine server login of the server you configured. Login may be your redmine API token, too. In this case use the Redmine-API-Token as username and some characters as password.

If login successfull you should get a result like

{"token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiI .... aMW9aphXNKhtg","expires_in":30,"issuer":"dockerauth"}

Pathmapping

Base is always the namespace part of dockerimage. This part must match a project on authentication source. For avoiding problems the search is always case-sensitive!

Redmine auth

You want clone the docker path localhost:5000/serveme/servimage

Now we search in redmine for the project with the shortname serveme (the identifier). The credentials must match a user who

  1. is member of this project
  2. has at least read access

Read access is identified by the access "Browse repository", write access by "Commit repository"

Gitlab auth

Most cases gitlab projects have a more deeper path. You want to clone path localhost:5000/mygroup/serveme/servimage

Now this service looks up for a gitlab project with the path with namespace, eg. for mygroup/serveme. If want using the Name of project, the name must url-safe written in docker.

Due the deeper path of gitlab projects it will never overlap with redmine project names. Eg. mygroup/serveme will never match to mygroup

Clone this wiki locally