New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fixed authorization against Cesenta Docker registry authentication #3795
Conversation
some docker registry authentication implementations (for instance cesenta) send a JSON response with "token" instead of the expected "access_token" during authorization Signed-off-by: Reinier Schoof <reinier@skoef.nl>
49af767
to
ff5bdfd
Compare
Build succeeded.
|
HI @skoef , the CI is not happy if you don't sign off for your commit :) https://github.com/containerd/project/blob/master/CONTRIBUTING.md#sign-your-work |
…e and password Signed-off-by: Reinier Schoof <reinier@skoef.nl>
Codecov Report
@@ Coverage Diff @@
## master #3795 +/- ##
==========================================
+ Coverage 42% 42.01% +0.01%
==========================================
Files 131 131
Lines 14589 14598 +9
==========================================
+ Hits 6128 6134 +6
- Misses 7547 7549 +2
- Partials 914 915 +1
Continue to review full report at Codecov.
|
Build succeeded.
|
I'm just now seeing that a similar fallback for |
Signed-off-by: Reinier Schoof <reinier@skoef.nl>
Build succeeded.
|
Not sure why only the travis darwin CI didn't succeed. Also the Appveyor error doesn't seem really related to my change. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Signed-off-by: Reinier Schoof <reinier@skoef.nl>
Just in time I saw that |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Cesenta should be either implementing the OAuth endpoint or returning a 405 that it is not implemented. These changes represent an undocumented and unsupported API deviation. I would suggest first getting these changes into Cesenta since it is an open source project. After that is fixed, we can discuss adding these special cases. Like with all special cases, we heavily document the version, date, and those which do not implement the specified protocol.
@dmcgowan I certainly think that is fair, however, for the OTOH: I'm far from an OAuth-expert, let's say that as well. |
Build succeeded.
|
@skoef the problem here is that is seems Cesanta is not implementing the |
@skoef what does the response look like today from the |
You're right, I filed a PR with Cesenta's docker_auth (cesanta/docker_auth#265), we'll see what happens there! |
The PR was merged by cesenta, so I'm closing this. Thanks anyway! |
I'm using Cesenta authentication for my private docker registry and could not make authorisation work from containerd. After digging through both the code of containerd and cesenta I fixed authorisation by adjusting two things:
{"access_token": "..."}
while cesenta is sending{"token": "..."}
(https://github.com/cesanta/docker_auth/blob/master/auth_server/server/server.go#L425). I added a field topostTokenResponse
calledLegacyToken
(didn't really know what else to call it) and when that is set butAccessToken
isn't,LegacyToken
is used instead.With those 2 small fixes I could pull images from my registry.