You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Mar 16, 2024. It is now read-only.
sangee2004
changed the title
acorn login succeeds even when invalid credentials are use to login to private registry.
acorn login succeeds even when invalid credentials are used to login to private registry.
May 18, 2023
So the reason that ghcr.io, docker.io, etc. don't have this problem is because they are using a different type of authentication than what our image registry library Acorn uses.
We are relying on this call to transport.NewWithContext to determine whether the login credentials are valid:
This function behaves differently depending on whether basic or bearer authentication is used. If bearer (like docker.io and ghcr.io), then the credentials do get validated. If basic, they do not. That is the reason for this disparity.
Unfortunately, I do not think there is a clean way to validate credentials in the case of basic authentication. The container registry API does not have an endpoint to simply check whether a user is logged in. We could possibly try to get some strange image that likely doesn't exist (i.e. <registry host>/acorn:<randomly generated tag>) and check to make sure the error is MANIFEST_UNKNOWN (image not found). But that wouldn't really solve the problem either, since the credential might be able to pull public but not private images.
So basically, I'm not sure what can be done here. Open to ideas/suggestions.
acorn version v0.7.0-alpha1-49-gf5e99d78+f5e99d78
Steps to reproduce the problem:
Stand up a private registry with auth enabled.
acorn login
succeeds when invalid credentials are passed to it.The text was updated successfully, but these errors were encountered: