feat: password can contain : @ |

[sigoden]

Passwords can use any characters, the only restriction is that the '@/' string cannot appear.
For example user:p|a:s@s@/:rw is valid rule, dufs known the pass is p|a:s@s.

[sigoden]

also solved #236

[olorin37]

@sigoden But now it is not possible to provide multiple users by environment variable. I deploy dufs in container and uses config file. I cannot hold passwords in this configuration file located in image (and accessible by anyone how have access to registry), I would like to provide passwords from secret management.

Actually separate file for auth, would be sufficient to solve the problem, because such file could be provided by podman/docker secret or hashicorp vault as a file.

Probably new issue should be created, but maybe already exists (later I will check that).

[sigoden]

Have you really tried it? The DUFS_AUTH environment variable supports multiple users which seperated by |, such as DUFS_AUTH='user1:admin1@/:rw|user2:admin2@/:rw'

[olorin37]

Of course, I do :) no problem to reproduce ... wait...

...and I found that I blamed wrong character. Problem was with \n at the end of string, not with | in the middle. I did:

❯ echo 'operator:zzzz@/:rw|fooz:fooz@/:ro' | podman secret create my-auths-n -
b840de9d9050fd4e10a8c465d

❯ podman run --rm -it -p 1025:1025 --secret=my-auths-n,type=env,target=DUFS_AUTH my-registry.artifactory.my-domain.com/projx/dufs:0.240507.6
Error: Invalid auth `fooz:fooz@/:ro

echo produces here additional \n what is obvious, but also easy to forget in such context (this is why I am showing it in original context).

When done properly it of course works:

❯ echo -n 'operator:zzzz@/:rw|fooz:fooz@/:ro' | podman secret create my-auths -
1d44fab2278eb05e0bd38d1e8

❯ podman run --rm -it -p 1025:1025 --secret=my-auths,type=env,target=DUFS_AUTH my-registry.artifactory.my-domain.com/projx/dufs:0.240507.6
Listening on:
  http://10.0.2.100:1025/
  http://127.0.0.1:1025/

So, my mistake (but when I found | was actually removed as deliminator, I had stopped digging :). Nevertheless additional file for secret part of configuration would be still beneficial.

[sigoden]

you can put config.yaml into secret if necessary. It’s unnecessary to seperate secret part of configuration.

[olorin37]

I can't, but not because dufs do not allows it. I wont to be able to put this config.yaml directly to the container file I prepare.

I have such container file:

FROM docker-registry-remote.artifactory-espoo1.int.net.nokia.com/sigoden/dufs:v0.40.0

VOLUME /configuration
COPY config.yaml /config.yaml

ENTRYPOINT ["/bin/dufs", "--config", "/config.yaml"]

and a config file:

---
serve-path: /configuration
bind:
  - 0.0.0.0
port: 1025
auth:
  - ""
allow-all: true

So, config files will be available to read by anybody with read access to the container. I want to add credentials with a secret (e.g. with Hashicorp Vault or podman/docker/k8s secrets). To achieve that I would need merge it to the config.yaml container startup, before dufs starts - of course doable, but nicer would be to have option to provide the value with other file - of course variable also provides nice way to do that - but little harder for Vault - because I would need to start vault agent in the same container with dufs as its supervisor (to provide envvar).

[olorin37]

I had asked about something which described in README, so I've removed it