Deomid Ryabkov
Deomid Ryabkov
let me try to clarify. if your set of _users_ is static, you can use static authentication stage. authentication should also allow public access requests (no username) to proceed. it...
> always calls authentication logic, so that unauthorized users can not pull public images this is not correct. authentication is always invoked, yes, but it can allow unidentified users if...
docker_auth architecture makes clear separation between authentication an authorization phases: * authentication plugins are only concerned with establishing whether the user is who they claim to be, i.e. checking the...
i don't know anything about ping request. when are they used, how do they look like (uri, headers) and why don't then go to authz logic?
ok, i see the problem. any suggestions on how to solve it?
no, if we are making an API change, it needs to be made uniformly to all implementations. i'm not sure what the change should be though. can you research it...
i assume you want to control access to certain images based on group membership. this is not possible currently and will require code changes - a "LDAP authorizer" will have...
no immediate plans. docker_auth is a side project for us at cesanta, and we don't use LDAP auth. LDAP auth was contributed by @summerQLin - maybe you can ask (or...
we could retrieve attributes of the client cert and add them to labels so authz phase could access them
yes, authz is the authorization / ACL matching phase, authn (authentication) in this case is the TLS handshake. i don't think we should be statically rewriting CN to account, just...