Portus icon indicating copy to clipboard operation
Portus copied to clipboard

Published 20 hours ago verified publisher icon SUSE

Allow integration with no auth registries

Open jaekunchoi opened this issue 8 years ago • 9 comments

Some companies use registries without any token auth enabled and there are some use cases where lots of other third parties are using it so it makes it difficult to migrate from no-auth to auth.

jaekunchoi avatar Jan 11 '17 12:01 jaekunchoi

So, you are suggesting to allow an administrator to disable the whole authorization part and just act as a UI of the registry ?

mssola avatar Jan 11 '17 16:01 mssola

No. I mean token auth may not be enabled on the registry so allow flags on the config file to not ask for token every time it calls let's say from perform_request method of HttpHelpers class

jaekunchoi avatar Jan 11 '17 23:01 jaekunchoi

Well, if you don't provide the auth/token configuration part, Portus will not get notified for push events (authorization requests), so authorization from portus' side will effectively be dismantled. That's why I asked whether that was your use case.

mssola avatar Jan 12 '17 12:01 mssola

Can we use Catalog API with portus_crono instead then?

jaekunchoi avatar Jan 13 '17 03:01 jaekunchoi

The API can be accessed (even without token authentication in place) from the Portus side or the portus_crono side. With this you will be able to perform stuff like fetching the list of images, deleting blobs, etc. But you will be doing that without having an authorization service, so any user can potentially do it. That's what I meant before with "just act as a UI of the registry" 😉

If you are curious about this, we have a rails runner in the bin directory that will allow you to make API calls (even though I've never tested this without an authorization token). From the command line (or docker container containing the code), you can call it like this:

$ rails r bin/client.rb catalog

This client script is pretty minimalistic, since it's only meant for development purposes.

mssola avatar Jan 13 '17 11:01 mssola

So, you are suggesting to allow an administrator to disable the whole authorization part and just act as a UI of the registry ?

@mssola -- is that possible? That's what I'd like to do.

dannydulai avatar Feb 18 '17 18:02 dannydulai

@dannydulai it should be possible, but I have to admit that I've never actually tried it 😀 That's something that we could add into the documentation.

mssola avatar Feb 18 '17 18:02 mssola

After taking a further look at this, there are two main issues to take into account:

First of all, Portus is not able right now to automatically create namespaces after a push (I just created #1961 to track this). This is important because if you start pushing images inside of namespaces unknown to portus, then you will miss them (it's fine if you push images without a namespace though).

Lastly, Portus needs information about which user pushed the image. The registry task on the background process assumes that the user is given in the notification by the registry, but this is not the case if Portus is not configured as the authorization service (imagine the case where a user pushed an image without being logged in into the registry, which is something people can do without an authorization service in place). One idea is that this task could act pretty much like the sync task, and assign the activity to the portus hidden user in this case, but I'm thinking we can do something better here...

The first issue is already tracked by #1961, and the second can be tracked here. So, I will remove the documentation label and move this out of the 2.4 release, since we don't have the time to accomplish all this within this release :sweat_smile:

mssola avatar Sep 05 '18 09:09 mssola

Any updates on this? This has almost 3 years. It seems that Portus still doesn't work properly with a registry without authentication.

biscaldis avatar Dec 03 '19 10:12 biscaldis