Not permitted to update Repository Description using Personal Access Tokens #1927
Comments
|
This is intentional. Personal access tokens (for now) are only meant to access hub registry (docker push|pull) primarily for CI use-case. We deliberately do not allow all API access. Otherwise it defeats the purpose of having 2FA if everything can be accessed via token without second factor. Longer term we do plan to add scopes to tokens to allow other APIs. Also please note that Hub APIs (while easy to decipher from the browser) are not officially supported. We do realize lot of people use it anyways and will work towards officially supporting it by providing documentation.
This was a mistake. We never intended to roll out with full API access. We've since disabled it. |
|
@manishtomar Thank you for clarifying. However, I strongly feel that CI use-cases for updating Docker Hub repository descriptions should be accounted for in your security / access models. Using personal access tokens to push/pull defeats far more purposes of 2FA than updating repository documentation. In the end, updating a repository documentation by manually logging in, copy, and paste is a sub-optimal experience. Please consider supporting this within the docker cli or via some other official programmatic method. |
|
I agree with @jmb12686. This is especially true for those doing continuous integration and deployment. |
|
@jmb12686 Thank you for the feedback. We will consider it. |
|
I'm also in a similar situation and had updates to the description on dockerhub automated in my CI workflow. Not being able to do this automatically any more is rather inconvenient and a bit annoying tbh. I'm strongly in support for having this capability exposed via a cli or an API call. Thanks for your consideration @manishtomar 👍 |
|
So right now I need to disable 2FA to update my descriptions automatically? |
disable dockerhub description update action due to an uncovered api security issue. docker/hub-feedback#1927 Signed-off-by: solidnerd <niclas@mietz.io>
disable dockerhub description update action due to an uncovered api security issue. docker/hub-feedback#1927 Signed-off-by: solidnerd <niclas@mietz.io>
disable dockerhub description update action due to an uncovered api security issue. docker/hub-feedback#1927 Signed-off-by: solidnerd <niclas@mietz.io>
|
Created roadmap item related to this: docker/roadmap#115. Please consider upvoting if you are interested in it. |
|
It's really unfortunate that docker/roadmap#115 , rolled recently, did not address the ability to update descriptions via PAT, when it was created specifically because of this. And now, it's closed too. |
First attempt to switch the automated building of moodle-php-apache images from DockerHub to GHA. Main reason being that the former doesn't support multiarch builds (only multiarch storage). Link: docker/hub-feedback#1874 Experimentally we'll be, also, sending the images to both DockerHub and GitHub registries in case we need to switch some day. This requires: 1. Some secrets to be created or used: - DOCKERHUB_USERNAME (to create) - DOCKERHUB_TOKEN (to create) - DOCKERHUB_PASSWORD (to create, grrr, descriptions cannot be updated using PATs, see docker/hub-feedback#1927 (comment)) - GH_USERNAME (to create) - GITHUB_TOKEN (to use) 2. Autobuilds @ DockerHub to be disabled (this takes exactly on them)
First attempt to switch the automated building of moodle-php-apache images from DockerHub to GHA. Main reason being that the former doesn't support multiarch builds (only multiarch storage). Link: docker/hub-feedback#1874 Experimentally we'll be, also, sending the images to both DockerHub and GitHub registries in case we need to switch some day. This requires: 1. Some secrets to be created or used: - DOCKERHUB_USERNAME (to create) - DOCKERHUB_TOKEN (to create) - DOCKERHUB_PASSWORD (to create, grrr, descriptions cannot be updated using PATs, see docker/hub-feedback#1927 (comment)) - GH_USERNAME (to create) - GITHUB_TOKEN (to use) 2. Autobuilds @ DockerHub to be disabled (this takes exactly on them)
First attempt to switch the automated building of moodle-php-apache images from DockerHub to GHA. Main reason being that the former doesn't support multiarch builds (only multiarch storage). Link: docker/hub-feedback#1874 Experimentally we'll be, also, sending the images to both DockerHub and GitHub registries in case we need to switch some day. This requires: 1. Some secrets to be created or used: - DOCKERHUB_USERNAME (to create) - DOCKERHUB_TOKEN (to create) - DOCKERHUB_PASSWORD (to create, grrr, descriptions cannot be updated using PATs, see docker/hub-feedback#1927 (comment)) - GH_USERNAME (to create) - GITHUB_TOKEN (to use) 2. Autobuilds @ DockerHub to be disabled (this takes exactly on them)
Problem description
Ability to update Docker Hub repository description (README) is not allowed when using personal access tokens. This significantly impacts the usability of 2FA (2 factor authentication) and degrades the security posture when attempting to automate all aspects of a build and deploy pipeline to Docker Hub. To note: Using Docker Hub automated builds is not an option for me or my organization at this time.
Furthermore, this functionality was allowed for personal access tokens between 1-2 months ago, until recently when I attempted to run an automated CI job to update my repository description. What is the rationale to limit usability of 2FA and personal access tokens? What options are available besides turning of 2FA and/or using Docker Hub automated builds?
Current Error:
Security Issues
N/A - Though security is affected due to the requirement now that user credentials (not personal access tokens) are necessary to update Hub repository description thru API. 2FA must be disabled now too.
The text was updated successfully, but these errors were encountered: