Create and populate htpasswd file if missing #2362
Conversation
Replaced the default registry auth configuration from 'none' to 'htpasswd'. Following the change in distribution/distribution#2362. Signed-off-by: Liron Levin <liron@twistlock.com>
Codecov Report
@@ Coverage Diff @@
## master #2362 +/- ##
==========================================
- Coverage 60.34% 50.71% -9.64%
==========================================
Files 126 126
Lines 14436 14472 +36
==========================================
- Hits 8712 7340 -1372
- Misses 4841 6381 +1540
+ Partials 883 751 -132
Continue to review full report at Codecov.
|
|
CC @dmcgowan |
cmd/registry/config-example.yml
Outdated
| auth: | ||
| htpasswd: | ||
| realm: basic-realm | ||
| path: /auth/htpasswd |
There was a problem hiding this comment.
would prefer to use /var/lib/registry or something under /etc for the examples
There was a problem hiding this comment.
Makes sense, I've put it under /etc/registry
registry/auth/htpasswd/access.go
Outdated
| if _, err := f.Write([]byte(fmt.Sprintf("docker:%s", string(encryptedPass[:])))); err != nil { | ||
| return err | ||
| } | ||
| logrus.Warnf("htpasswd is missing. provisioned with default user:docker password: %s", pass) |
There was a problem hiding this comment.
This output looks kind of off
WARN[0000] htpasswd is missing. provisioned with default user:docker password: qakOn184C_WYgnUt7RDyE3xO7YrDkYhpqA9A2JbwIz0=
Maybe just getting rid of the space after password: would make it look more consistent. Also please use RawURLEncoding to get rid of the = at the end, some might find it confusing as to whether it is part of the password or part of an encoding.
There was a problem hiding this comment.
Makes sense. I've removed the space and replaced the encoding method.
liron-l
force-pushed
the
populate_htpasswd
branch
from
adae5b3
to
2cd4ed6
Compare
|
Thanks @dmcgowan, I've updated the review. |
Replaced the default registry auth configuration from 'none' to 'htpasswd'. Following the change in distribution/distribution#2362. Signed-off-by: Liron Levin <liron@twistlock.com>
|
@dmcgowan PTAL |
|
@dmcgowan anything else I need to change? |
|
@tiborvass @dmcgowan PTAL. |
|
@tiborvass @stevvooe @dmcgowan what's required to get this merged? |
registry/auth/htpasswd/access.go
Outdated
| @@ -111,6 +119,34 @@ func (ch challenge) Error() string { | |||
| return fmt.Sprintf("basic authentication challenge for realm %q: %s", ch.realm, ch.err) | |||
| } | |||
|
|
|||
| // createHtpasswdFile creates and populates htpasswd file with a new user in case the file is missing | |||
| func createHtpasswdFile(path string) error { | |||
| if _, err := os.Open(path); os.IsNotExist(err) { | |||
There was a problem hiding this comment.
Put the bulk of the work in the main path, not the indented path.
There was a problem hiding this comment.
Any other non-empty error should also be returned
registry/auth/htpasswd/access.go
Outdated
| if _, err := f.Write([]byte(fmt.Sprintf("docker:%s", string(encryptedPass[:])))); err != nil { | ||
| return err | ||
| } | ||
| logrus.Warnf("htpasswd is missing. provisioned with default user:docker password:%s", pass) |
There was a problem hiding this comment.
Please use the logging system already used throughout the registry. We don't access logrus directly.
There was a problem hiding this comment.
Also, use the field-based logging for these values, rather than just dumping them in the message.
There was a problem hiding this comment.
Thanks @stevvooe can I use GetLoggerWithFields? if so, fixed.
liron-l
force-pushed
the
populate_htpasswd
branch
3 times, most recently
from
fdcbea8
to
da7d5e3
Compare
|
Thanks @stevvooe @dmcgowan @endophage I've updated the PR according to your comments. |
| if _, err := f.Write([]byte(fmt.Sprintf("docker:%s", string(encryptedPass[:])))); err != nil { | ||
| return err | ||
| } | ||
| dcontext.GetLoggerWithFields(context.Background(), map[interface{}]interface{}{ |
There was a problem hiding this comment.
Also, this message should explain the "escape hatch", as this will confusing to those who have already ran the registry. I'll discuss the "escape hatch" more on distribution/distribution-library-image#58.
There was a problem hiding this comment.
@stevvooe but this config only apply if you start the registry with htpasswd enabled.
If you use REGISTRY_AUTH="" (or silly with realm) it is not enabled.
Is it OK to write
Disable default basic authentication by overriding the 'REGISTRY_AUTH' environment variable?
There was a problem hiding this comment.
@liron-l If you are using the registry behind a proxy, which is an extremely common deployment, this will break them and those users will panic. What do they do when this happens?
There was a problem hiding this comment.
@stevvooe I think the scenario you describe is relevant to the hub image change (which is indeed a breaking change).
However, here we just automatically populate the username/password when they are missing in basic auth scenario (like Jenkins does on default setup).
|
Can you rebase this to get CI passing, circleci does not seem to be building from a merged branch even when I kicked it to run without cache |
liron-l
force-pushed
the
populate_htpasswd
branch
from
da7d5e3
to
4546330
Compare
|
Thanks @dmcgowan, The tests passed now. |
If htpasswd authentication option is configured but the htpasswd file is missing, populate it with a default user and automatically generated password. The password will be printed to stdout. Signed-off-by: Liron Levin <liron@twistlock.com>
liron-l
force-pushed
the
populate_htpasswd
branch
from
4546330
to
c785740
Compare
|
Is this still okay for you @dmcgowan? |
|
@dmcgowan we broke something here. New PRs are not passing failing on gometalinter checks. |
|
We cannot merge old PRs that haven't run Travis, we can kick it off by opening a dummy PR with the change commit or having them rebased |
|
@dmcgowan agreed. |
If htpasswd authentication option is configured but the htpasswd file is
missing, populate it with a default user and automatically generated
password.
The password will be printed to stdout.
Signed-off-by: Liron Levin liron@twistlock.com