Portus icon indicating copy to clipboard operation
Portus copied to clipboard
verified publisher icon SUSE

Unable to delete repository & tags

Open miraclecoco opened this issue 4 years ago • 2 comments

I was properly installed Portus and Registry. But I can't delete the pushed repository and one of its tags, after that, I was accessing the registry logs, it reports an error insufficient scope. I have audited the Portus source code, but I can't figure out what the problem caused.

Here's my compose file

image

It works properly

image

Response from https://registry.docker.local:5002/v2/token?account=portus&scope=repository%3Amariadb%3Aall&service=registry.docker.local%3A5000

image image

Response from https://registry.docker.local:5002/v2/token?account=portus&scope=repository%3Amariadb%3Adelete&service=registry.docker.local%3A5000

image image

Here's HTTP handler shown in app/controllers/api/v2/tokens_controller.rb

image

and related policy shown in app/policies/namespace_policy.rb

image

The key to the problem is policy delete? is an alias to all? and It will work properly when I request all action. But, when I request delete action, It responded I an empty access list. I think some magic procedure performed here, but I can't find it.

miraclecoco avatar Jan 29 '21 11:01 miraclecoco

I've tried to test all permissions that info 'NamespacePolicy' with request https://registry.docker.local:5002/v2/token?account=portus&scope=repository%3Amariadb%3Aowner,show,push,pull,index,create,destroy,update,all,change_visibility,change_team,owner,contributor,viewer,member&service=registry.docker.local%3A5000

It responded

{"token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IkhBU1c6UFBHVDpGT0FCOkQyT0U6RzRGQzpJVk9FOkpBVkw6SzZZSTpXQU01Ok1VSFI6SzJBWTpTQzI3In0.eyJpc3MiOiJyZWdpc3RyeS5kb2NrZXIubG9jYWwiLCJzdWIiOiJwb3J0dXMiLCJhdWQiOiJyZWdpc3RyeS5kb2NrZXIubG9jYWw6NTAwMCIsImlhdCI6MTYxMTkyMzMzMywibmJmIjoxNjExOTIzMzI4LCJleHAiOjE2MTE5MjM2MzMsImp0aSI6IngyWlllSE5NeXlxZldDdThzaWRicGpTQ0Z0bUhEQVd4eVQxOWZoRXl5TiIsImFjY2VzcyI6W3sidHlwZSI6InJlcG9zaXRvcnkiLCJuYW1lIjoibWFyaWFkYiIsImFjdGlvbnMiOlsic2hvdyIsInB1c2giLCJwdWxsIiwiaW5kZXgiLCJjcmVhdGUiLCJ1cGRhdGUiLCJhbGwiLCJjaGFuZ2VfdmlzaWJpbGl0eSIsImNoYW5nZV90ZWFtIl19XX0.uciId9AKi9bPWlKyHYMLIaa6-g0hgpWhf9IGnHPsSGkDeZZ_Wz-d50UeerXEi7_To9168ToG_xQpFgmjmUiLZhXt6Fz1eNZqCcgiYIgEhBBzxEbkOJBvh0B8OmC-ossCxKgQ-Ob0akBsEeUL96mZ-NEI9EAlzF9UjQpoDC7MZ6KeJrlyq7bPlT2oa_yyg2gV-knnUiBUdoLBMPOAksd3oo22Oub9HOU2CYudNBfH5j6JNwMl_VbBBJB4ZhG_J_0o9HQ9chNZzdOPQL_VptFyBN7-3EuXZtgBHt18-zvFkwLlLsXozEBxNbT9e5OOcQB7dt2jcpYz7n1zLFWNnKU7jA","expires_in":300,"issued_at":"2021-01-29T12:28:53+00:00"}

and the payload decoded from Jwt token

{
  "iss": "registry.docker.local",
  "sub": "portus",
  "aud": "registry.docker.local:5000",
  "iat": 1611923333,
  "nbf": 1611923328,
  "exp": 1611923633,
  "jti": "x2ZYeHNMyyqfWCu8sidbpjSCFtmHDAWxyT19fhEyyN",
  "access": [
    {
      "type": "repository",
      "name": "mariadb",
      "actions": [
        "show",
        "push",
        "pull",
        "index",
        "create",
        "update",
        "all",
        "change_visibility",
        "change_team"
      ]
    }
  ]
}

but delete did not appear in the access list.

miraclecoco avatar Jan 29 '21 12:01 miraclecoco

Thanks for all your contributions! This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

stale[bot] avatar Jan 09 '22 04:01 stale[bot]