Merged
Conversation
Signed-off-by: jay-dee7 <[email protected]>
jay-dee7
force-pushed
the
token-auth
branch
2 times, most recently
from
ceaf8d4 to
90c43ed
Compare
This PR adds support for handling authentication and authorization using Json Web Tokens (JWTs). This brings in a lot of advancements: 1. A fine grained access control layer for scoping/sharing access for container images 2. Authentication is overall much simpler 3. We can build a token service on top of this (which can be tracked and implemented in a different issue), to support offline and token usecases. Signed-off-by: jay-dee7 <[email protected]>
jay-dee7
added a commit
that referenced
this pull request
Oct 20, 2021
We recently added JWT auth and it introduced a bug that let's anyone push images under any namespace: This PR fixes a bug introduced in PR #48 **johndoe** want to push **app1** so he creates an image named `openregistry.dev/johndoe/app1, since he's the owner of the image, he can push the image. **johndoe** wants to push **app1** to **janedoe's** account, so he makes a request as: `openregistry.dev/janedoe/app1` and this worked too (which it should not) With this PR, we now check that only `pull` should be allowed and `push` should be restricted to user's own namespace. Signed-off-by: jay-dee7 <[email protected]>
jay-dee7
added a commit
that referenced
this pull request
Oct 20, 2021
We recently added JWT auth and it introduced a bug that let's anyone push images under any namespace: This PR fixes the bug introduced in PR #48 **johndoe** want to push **app1** so he creates an image named `openregistry.dev/johndoe/app1`, since he's the owner of the image, he can push the image. **johndoe** wants to push **app1** to **janedoe's** account, so he makes a request as: `openregistry.dev/janedoe/app1` and this worked too (which it should not) With this PR, we now check that only `pull` should be allowed and `push` should be restricted to user's own namespace. Signed-off-by: jay-dee7 <[email protected]>
jay-dee7
added a commit
that referenced
this pull request
Oct 21, 2021
We recently added JWT auth and it introduced a bug that let's anyone push images under any namespace: This PR fixes the bug introduced in PR #48 **johndoe** want to push **app1** so he creates an image named `openregistry.dev/johndoe/app1`, since he's the owner of the image, he can push the image. **johndoe** wants to push **app1** to **janedoe's** account, so he makes a request as: `openregistry.dev/janedoe/app1` and this worked too (which it should not) With this PR, we now check that only `pull` should be allowed and `push` should be restricted to user's own namespace. Signed-off-by: jay-dee7 <[email protected]>
jay-dee7
added a commit
that referenced
this pull request
Oct 21, 2021
We recently added JWT auth and it introduced a bug that let's anyone push images under any namespace: This PR fixes the bug introduced in PR #48 **johndoe** want to push **app1** so he creates an image named `openregistry.dev/johndoe/app1`, since he's the owner of the image, he can push the image. **johndoe** wants to push **app1** to **janedoe's** account, so he makes a request as: `openregistry.dev/janedoe/app1` and this worked too (which it should not) With this PR, we now check that only `pull` should be allowed and `push` should be restricted to user's own namespace. Signed-off-by: jay-dee7 <[email protected]>
jay-dee7
added a commit
that referenced
this pull request
Oct 21, 2021
We recently added JWT auth and it introduced a bug that let's anyone push images under any namespace: This PR fixes the bug introduced in PR #48 **johndoe** want to push **app1** so he creates an image named `openregistry.dev/johndoe/app1`, since he's the owner of the image, he can push the image. **johndoe** wants to push **app1** to **janedoe's** account, so he makes a request as: `openregistry.dev/janedoe/app1` and this worked too (which it should not) With this PR, we now check that only `pull` should be allowed and `push` should be restricted to user's own namespace. Signed-off-by: jay-dee7 <[email protected]>
jay-dee7
added a commit
that referenced
this pull request
Oct 21, 2021
We recently added JWT auth and it introduced a bug that let's anyone push images under any namespace: This PR fixes the bug introduced in PR #48 **johndoe** want to push **app1** so he creates an image named `openregistry.dev/johndoe/app1`, since he's the owner of the image, he can push the image. **johndoe** wants to push **app1** to **janedoe's** account, so he makes a request as: `openregistry.dev/janedoe/app1` and this worked too (which it should not) With this PR, we now check that only `pull` should be allowed and `push` should be restricted to user's own namespace. Signed-off-by: jay-dee7 <[email protected]>
jay-dee7
added a commit
that referenced
this pull request
Oct 21, 2021
We recently added JWT auth and it introduced a bug that let's anyone push images under any namespace: This PR fixes the bug introduced in PR #48 **johndoe** want to push **app1** so he creates an image named `openregistry.dev/johndoe/app1`, since he's the owner of the image, he can push the image. **johndoe** wants to push **app1** to **janedoe's** account, so he makes a request as: `openregistry.dev/janedoe/app1` and this worked too (which it should not) With this PR, we now check that only `pull` should be allowed and `push` should be restricted to user's own namespace. Signed-off-by: jay-dee7 <[email protected]>
jay-dee7
added a commit
that referenced
this pull request
Oct 21, 2021
We recently added JWT auth and it introduced a bug that let's anyone push images under any namespace: This PR fixes the bug introduced in PR #48 **johndoe** want to push **app1** so he creates an image named `openregistry.dev/johndoe/app1`, since he's the owner of the image, he can push the image. **johndoe** wants to push **app1** to **janedoe's** account, so he makes a request as: `openregistry.dev/janedoe/app1` and this worked too (which it should not) With this PR, we now check that only `pull` should be allowed and `push` should be restricted to user's own namespace. Signed-off-by: jay-dee7 <[email protected]>
jay-dee7
added a commit
that referenced
this pull request
Oct 21, 2021
We recently added JWT auth and it introduced a bug that let's anyone push images under any namespace: This PR fixes the bug introduced in PR #48 **johndoe** want to push **app1** so he creates an image named `openregistry.dev/johndoe/app1`, since he's the owner of the image, he can push the image. **johndoe** wants to push **app1** to **janedoe's** account, so he makes a request as: `openregistry.dev/janedoe/app1` and this worked too (which it should not) With this PR, we now check that only `pull` should be allowed and `push` should be restricted to user's own namespace. Signed-off-by: jay-dee7 <[email protected]>
jay-dee7
added a commit
that referenced
this pull request
Oct 21, 2021
We recently added JWT auth and it introduced a bug that let's anyone push images under any namespace: This PR fixes the bug introduced in PR #48 **johndoe** want to push **app1** so he creates an image named `openregistry.dev/johndoe/app1`, since he's the owner of the image, he can push the image. **johndoe** wants to push **app1** to **janedoe's** account, so he makes a request as: `openregistry.dev/janedoe/app1` and this worked too (which it should not) With this PR, we now check that only `pull` should be allowed and `push` should be restricted to user's own namespace. Signed-off-by: jay-dee7 <[email protected]>
jay-dee7
added a commit
that referenced
this pull request
Oct 21, 2021
We recently added JWT auth and it introduced a bug that let's anyone push images under any namespace: This PR fixes the bug introduced in PR #48 **johndoe** want to push **app1** so he creates an image named `openregistry.dev/johndoe/app1`, since he's the owner of the image, he can push the image. **johndoe** wants to push **app1** to **janedoe's** account, so he makes a request as: `openregistry.dev/janedoe/app1` and this worked too (which it should not) With this PR, we now check that only `pull` should be allowed and `push` should be restricted to user's own namespace. Signed-off-by: jay-dee7 <[email protected]>
jay-dee7
added a commit
that referenced
this pull request
Oct 21, 2021
We recently added JWT auth and it introduced a bug that let's anyone push images under any namespace: This PR fixes the bug introduced in PR #48 **johndoe** want to push **app1** so he creates an image named `openregistry.dev/johndoe/app1`, since he's the owner of the image, he can push the image. **johndoe** wants to push **app1** to **janedoe's** account, so he makes a request as: `openregistry.dev/janedoe/app1` and this worked too (which it should not) With this PR, we now check that only `pull` should be allowed and `push` should be restricted to user's own namespace. Signed-off-by: jay-dee7 <[email protected]>
jay-dee7
added a commit
that referenced
this pull request
Oct 21, 2021
We recently added JWT auth and it introduced a bug that let's anyone push images under any namespace: This PR fixes the bug introduced in PR #48 **johndoe** want to push **app1** so he creates an image named `openregistry.dev/johndoe/app1`, since he's the owner of the image, he can push the image. **johndoe** wants to push **app1** to **janedoe's** account, so he makes a request as: `openregistry.dev/janedoe/app1` and this worked too (which it should not) With this PR, we now check that only `pull` should be allowed and `push` should be restricted to user's own namespace. Signed-off-by: jay-dee7 <[email protected]>
jay-dee7
added a commit
that referenced
this pull request
Oct 21, 2021
We recently added JWT auth and it introduced a bug that let's anyone push images under any namespace: This PR fixes the bug introduced in PR #48 **johndoe** want to push **app1** so he creates an image named `openregistry.dev/johndoe/app1`, since he's the owner of the image, he can push the image. **johndoe** wants to push **app1** to **janedoe's** account, so he makes a request as: `openregistry.dev/janedoe/app1` and this worked too (which it should not) With this PR, we now check that only `pull` should be allowed and `push` should be restricted to user's own namespace. Signed-off-by: jay-dee7 <[email protected]>
jay-dee7
added a commit
that referenced
this pull request
Oct 21, 2021
We recently added JWT auth and it introduced a bug that let's anyone push images under any namespace: This PR fixes the bug introduced in PR #48 **johndoe** want to push **app1** so he creates an image named `openregistry.dev/johndoe/app1`, since he's the owner of the image, he can push the image. **johndoe** wants to push **app1** to **janedoe's** account, so he makes a request as: `openregistry.dev/janedoe/app1` and this worked too (which it should not) With this PR, we now check that only `pull` should be allowed and `push` should be restricted to user's own namespace. Signed-off-by: jay-dee7 <[email protected]>
jay-dee7
added a commit
that referenced
this pull request
Oct 21, 2021
We recently added JWT auth and it introduced a bug that let's anyone push images under any namespace: This PR fixes the bug introduced in PR #48 **johndoe** want to push **app1** so he creates an image named `openregistry.dev/johndoe/app1`, since he's the owner of the image, he can push the image. **johndoe** wants to push **app1** to **janedoe's** account, so he makes a request as: `openregistry.dev/janedoe/app1` and this worked too (which it should not) With this PR, we now check that only `pull` should be allowed and `push` should be restricted to user's own namespace. Signed-off-by: jay-dee7 <[email protected]>
guacamole
pushed a commit
that referenced
this pull request
Oct 21, 2021
We recently added JWT auth and it introduced a bug that let's anyone push images under any namespace: This PR fixes the bug introduced in PR #48 **johndoe** want to push **app1** so he creates an image named `openregistry.dev/johndoe/app1`, since he's the owner of the image, he can push the image. **johndoe** wants to push **app1** to **janedoe's** account, so he makes a request as: `openregistry.dev/janedoe/app1` and this worked too (which it should not) With this PR, we now check that only `pull` should be allowed and `push` should be restricted to user's own namespace. Signed-off-by: jay-dee7 <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Feat: added JWT AuthN/AuthZ basic flow
This PR adds support for handling authentication and authorization using JSON Web Tokens (JWTs). This brings in a lot of advancements:
Signed-off-by: jay-dee7 [email protected]