notary icon indicating copy to clipboard operation
notary copied to clipboard

Published 20 hours ago verified publisher icon notaryproject

Feature request: command to list all GUNs on a remote server

Open dnwake opened this issue 8 years ago • 7 comments

We already have the "notary list" command, but it requires the user to supply a GUN.

It would be useful to be able to iterate through all the GUNs on a remote server. A sample use case is renaming a host running Docker registry. The user will want to take a series of GUNs of the form "oldhostname/path/to/repo" and create duplicate GUNs (with the same targets / digests) with the form "newhostname/path/to/repo".

dnwake avatar Sep 27 '16 23:09 dnwake

Hi @dnwake , I actually had considered this when I had came into such a use case that

"people may would like to know which images on the image_list_page(the web front end) are signed and can be trusted"

So if there is an API that can list all the GUNs' status on the notary service, it would be helpful.

But since the service(not the notary service, I mean the whole docker hub service) we provided is a multi-tenants-enabled service, an API list all the GUNs will cause the leaking of information which was not acceptable.

Besides, one notary service could be used by many registry, it seems not a right thing to list the image information of one registry server to the others.

HuKeping avatar Sep 28 '16 14:09 HuKeping

@HuKeping

How about a list of GUNs with a delegation to a particular key?

dnwake avatar Sep 28 '16 20:09 dnwake

@dnwake a delegated key does not automatically equal access to the GUN. The authz on docker hub may have been updated to revoke a user's access, though their delegation key may not have been removed as a signer yet. You also shouldn't be able to arbitrarily list GUNs for any delegation key as providing a key ID is not proof of authorization.

I'll talk to the hub team and see how they do it with respect to the existing token auth notary leveraged. We'll have to work out the authz piece so a user can only list GUNs they have access to, then subsequently we can apply a range of filters to those GUNs they are interested in based on key ID or some other factor (i.e. org/account name, GUN prefix, etc...)

endophage avatar Oct 04 '16 20:10 endophage

@endophage What if you also provide the key?

dnwake avatar Oct 04 '16 21:10 dnwake

Doesn't matter. If you're a delegate and the admin has revoked your authz and for any reason hasn't removed your signing key yet, you still shouldn't have access. Maybe they're AFK so can't sign but can access docker hub through a mobile device to respond to an immediate problem.

endophage avatar Oct 04 '16 21:10 endophage

The changefeed functionality adds an initial use of the catalog token. We could now add this feature using that token for auth. The current configuration of docker's token server would only issue these catalog tokens to admin users.

endophage avatar Nov 18 '16 21:11 endophage

we're getting bit by the lack of this feature 4 years later. any plans to implement this?

taha-au avatar Jun 09 '20 20:06 taha-au