Fall back to BasicAuth if token is disabled #234
Conversation
|
Attached issue: https://pulp.plan.io/issues/8074 |
mdellweg
force-pushed
the
token_vs_basic_auth
branch
2 times, most recently
from
3fa9a83
to
0c3cb86
Compare
mdellweg
force-pushed
the
token_vs_basic_auth
branch
2 times, most recently
from
6e07a87
to
eb2cb06
Compare
pulp_container/app/registry_api.py
Outdated
| @property | ||
| def authentication_classes(self): | ||
| if settings.get("TOKEN_AUTH_DISABLED", False): | ||
| return api_settings.DEFAULT_AUTHENTICATION_CLASSES |
There was a problem hiding this comment.
I decided that this is the better way, as we can fallback to the list of configured auth-classes.
Also it does not mess with the class creation process as __new__ does.
There was a problem hiding this comment.
this changed fixed the direct api calls but still not for client push
return [api_settings.DEFAULT_AUTHENTICATION_CLASSES[1]]
There was a problem hiding this comment.
i get this "Attempting next endpoint for push after error: unauthorized: Authentication credentials were not provided."
it feels like the client does not send the basic auth creds in the calls?
There was a problem hiding this comment.
I used podman, and push with logged in as admin worked for me.
There was a problem hiding this comment.
Applying rpm.0029_rpmpublication_sqlite_metadata... OK
Applying sessions.0001_initial... OK
Initialize missing access policies for core.
Initialize missing access policies for container.
Initialize missing access policies for python.
Initialize missing access policies for rpm.
Initialize missing access policies for file.
Initialize missing access policies for pulp_2to3_migration.
pulp [None]: pulp_2to3_migration.app.plugin:INFO: Plugin pulp_deb is not installed in pulp3 therefore it will not be migrated from pulp2
Successfully set password for "admin" user.
pulp [None]: pulp_2to3_migration.app.plugin:INFO: Plugin pulp_deb is not installed in pulp3 therefore it will not be migrated from pulp2
0 static files symlinked to '/var/lib/pulp/assets', 161 unmodified.
(pulp) [vagrant@pulp3-source-fedora32 ~]$ prestart
systemctl restart pulpcore-content pulpcore-worker@1 pulpcore-worker@2 pulpcore-resource-manager pulpcore-api
(pulp) [vagrant@pulp3-source-fedora32 ~]$ podman logout localhost:24817
Removed login credentials for localhost:24817
(pulp) [vagrant@pulp3-source-fedora32 ~]$ podman login localhost:24817
Username: invalid-user
Password:
Login Succeeded!
(pulp) [vagrant@pulp3-source-fedora32 ~]$ podman logout localhost:24817
Removed login credentials for localhost:24817
(pulp) [vagrant@pulp3-source-fedora32 ~]$ podman login localhost:24817
Username: admin
Password:
Login Succeeded!
(pulp) [vagrant@pulp3-source-fedora32 ~]$ podman push localhost:24817/test/this:mytag1.8
Getting image source signatures
Copying blob 210dda196ec1 [--------------------------------------] 8.0b / 2.0KiB
Error: error copying image to the remote destination: Error writing blob: Error initiating layer upload to /v2/test/this/blobs/uploads/ in localhost:24817: unauthorized: Authentication credentials were not provided.
(pulp) [vagrant@pulp3-source-fedora32 ~]$
c7a5a8e
to
b9896b2
Compare
| Decide upon permission based on user. | ||
| """ | ||
| # TODO RBAC goes here | ||
| if request.user.is_staff: |
There was a problem hiding this comment.
I have tested this pr, user here is anonymours no matter what i am doing
- login into the registry permits to login even with wrong credentials
- if i'm accessing api directly this codepath is niot executed and i can perform get/post/put call without any auth provided.
There was a problem hiding this comment.
You are right. As long as we don't force "/v2/" to need credentials, podman will never try to provide them.
But we break anonymous pull if we do, because he will still try to find that and fallback to /v1ping/ instead.
This needs more investigation.
mdellweg
force-pushed
the
token_vs_basic_auth
branch
from
b9896b2
to
4ea0896
Compare
This will allow push for admin and pull for everyone including AnonymousUser, if TOKEN_AUTH_DISABLED=True. fixes #8074 https://pulp.plan.io/issues/8074
mdellweg
force-pushed
the
token_vs_basic_auth
branch
from
4ea0896
to
ee80ad9
Compare
There was a problem hiding this comment.
with this pr i was able to push with admin credentials and to pull whether with a valid logged in user or not being logged in( anonymous pull). I can confirm that push is possible only with admin credentials.
This PR however does does not take into account whether a distribution is private or not during pull operation because policy is defined on the distribution/namespace viewsets which are not used whenever token_auth is disabled.
fixes #8074
https://pulp.plan.io/issues/8074