Skip to content

Fix registry authorization errors#28235

Merged
tonistiigi merged 3 commits intomoby:masterfrom
dmcgowan:fix-registry-authorization-errors
Nov 11, 2016
Merged

Fix registry authorization errors#28235
tonistiigi merged 3 commits intomoby:masterfrom
dmcgowan:fix-registry-authorization-errors

Conversation

@dmcgowan
Copy link
Member

@dmcgowan dmcgowan commented Nov 10, 2016

Updates client to better handle errors when using OAuth tokens. Prevents unauthenticated errors getting sent back to the cli when permission is denied and erroneously prompting the user for login. This also trims error arrays down to a single element and logs the trimmed errors, this prevents the api from setting the status code to 401 when it sees "unauthorized" in one of the extra errors.

Needed for #28100
Closes #26462

@dmcgowan dmcgowan force-pushed the fix-registry-authorization-errors branch from fe266c4 to 5f106f7 Compare November 10, 2016 05:15
@dmcgowan dmcgowan mentioned this pull request Nov 10, 2016
Merged
@dmcgowan dmcgowan force-pushed the fix-registry-authorization-errors branch from 5f106f7 to dc20fa3 Compare November 10, 2016 19:20
@vdemeester vdemeester added this to the 1.13.0 milestone Nov 10, 2016
@vdemeester
Copy link
Member

vdemeester commented Nov 10, 2016

/cc @aaronlehmann @stevvooe

stevvooe
stevvooe reviewed Nov 10, 2016
View reviewed changes
distribution/errors.go Outdated
Copy link
Contributor

@stevvooe stevvooe Nov 10, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This needs to handle ErrorCodeUnauthorized, although this code should result in a token fetch most of the time, whereas ErrorCodeDenied is terminal.

Copy link
Member Author

@dmcgowan dmcgowan Nov 10, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is getting called when the error is terminal and will be returned back to the api handler. Right now the message getting returned by unauthorized is "correctly" getting picked up and prompting login. I am not too concerned with handling that case but after this PR I want to enumerate what all the cases are and the messaging getting sent to users.

@stevvooe
Copy link
Contributor

stevvooe commented Nov 10, 2016

LGTM

@vdemeester vdemeester mentioned this pull request Nov 10, 2016
Merged
3 tasks
@thaJeztah thaJeztah added the status/failing-ci Indicates that the PR in its current state fails the test suite label Nov 10, 2016
@thaJeztah
Copy link
Member

thaJeztah commented Nov 10, 2016

@dmcgowan tests are failing

@dmcgowan
Copy link
Member Author

dmcgowan commented Nov 10, 2016

Looks like trust failures are related to distribution/distribution#2044 in distribution. Going to update the trust build code to ensure the output is not changing due to this change.

@dmcgowan dmcgowan mentioned this pull request Nov 10, 2016
Merged
@nishanttotla nishanttotla mentioned this pull request Nov 10, 2016
Merged
@dmcgowan dmcgowan force-pushed the fix-registry-authorization-errors branch from dc20fa3 to fc1aaa2 Compare November 11, 2016 00:08
@dmcgowan
Copy link
Member Author

dmcgowan commented Nov 11, 2016

Added a commit which resolves the issues with the distribution vendor update. The change to WithDigest required an additional method to remove tag before calling to preserve existing behavior. We have already discussed this on the distribution issue as the correct way to use WithDigest rather than assuming it will remove the tag.

@tonistiigi tonistiigi removed the status/failing-ci Indicates that the PR in its current state fails the test suite label Nov 11, 2016
@aaronlehmann
Copy link

aaronlehmann commented Nov 11, 2016

Tested docker pull and docker service create with name:tag@digest syntax and didn't find any problems.

LGTM

@aaronlehmann
Copy link

aaronlehmann commented Nov 11, 2016

However it's very possible that the only reason why these things work correctly is that github.com/docker/docker/reference drops the tag in ParseNamed:

        if canonical, isCanonical := named.(distreference.Canonical); isCanonical {
                return WithDigest(r, canonical.Digest())
        }
        if tagged, isTagged := named.(distreference.NamedTagged); isTagged {
                return WithTag(r, tagged.Tag())
        }

We should probably fix ParseNamed to be consistent with the upstream changes. But that may cause more issues.

@dmcgowan
Copy link
Member Author

dmcgowan commented Nov 11, 2016

@aaronlehmann I saw that in ParseNamed figuring out where to update. I recall that was done intentionally to prevent the creation of a tagged and digested reference, but there is no comment explaining it and I can't think of an error it would cause. Seems to me like more of a problem to have it strip data such that ParsedNamed(s).String() != s. We can address this upon deprecation of the docker/docker/reference fork.

@aaronlehmann
Copy link

aaronlehmann commented Nov 11, 2016
edited
Loading

@dmcgowan: It turns out this is an issue for service create. Creating a service with the image reference busybox:latest@sha256:29f5d56d12684887bdfa50dcd29fc31eea4aaf4ad3bec43daf19026a7ce69912 strips out the tag in service ls, whereas specifying busybox:latest keeps the tag and adds a digest as well. I suggested using ParseNamed from github.com/docker/distribution/reference to work around this.

cc @nishanttotla

@tonistiigi
Copy link
Member

tonistiigi commented Nov 11, 2016

LGTM

@tonistiigi tonistiigi added status/4-merge status/failing-ci Indicates that the PR in its current state fails the test suite and removed status/2-code-review labels Nov 11, 2016
@dmcgowan
Update distribution vendor
60ecc13 
Pull in client changes to handle oauth errors

Signed-off-by: Derek McGowan <[email protected]> (github: dmcgowan)
@dmcgowan
Update for distribution vendor
c85eb00 
Handle updates to reference package.
Updates for refactoring of challenge manager.

Signed-off-by: Derek McGowan <[email protected]> (github: dmcgowan)
@dmcgowan
Update pull error handling
19a93a6 
Translate pull errors to provide a more consistent and user friendly
error message.

Signed-off-by: Derek McGowan <[email protected]> (github: dmcgowan)
@dmcgowan dmcgowan force-pushed the fix-registry-authorization-errors branch from fc1aaa2 to 19a93a6 Compare November 11, 2016 01:36
@tonistiigi tonistiigi removed the status/failing-ci Indicates that the PR in its current state fails the test suite label Nov 11, 2016
@vieux
Copy link
Contributor

vieux commented Nov 11, 2016

let's wait for #27917 before merging

@tonistiigi tonistiigi merged commit 48a0c3e into moby:master Nov 11, 2016
@nishanttotla
Copy link
Contributor

nishanttotla commented Nov 11, 2016

Adding some utility functions so that we can move to using ParseNamed from docker/distribution/reference here: distribution/distribution#2062

@dmcgowan dmcgowan mentioned this pull request Nov 14, 2016
Closed
@thaJeztah thaJeztah mentioned this pull request Nov 15, 2016
Merged
@thaJeztah thaJeztah mentioned this pull request Dec 5, 2016
Closed
@thaJeztah thaJeztah mentioned this pull request Jan 6, 2017
Closed
@tt tt mentioned this pull request Mar 17, 2017
Closed
dnephin pushed a commit to dnephin/docker that referenced this pull request Apr 17, 2017
@tonistiigi
Merge pull request moby#28235 from dmcgowan/fix-registry-authorizatio…
795e487 
…n-errors

Fix registry authorization errors
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@stevvooe stevvooe stevvooe left review comments

Assignees

No one assigned

Labels

status/4-merge

Projects

None yet

Milestone

1.13.0

Development

Successfully merging this pull request may close these issues.

9 participants

@dmcgowan @vdemeester @stevvooe @thaJeztah @aaronlehmann @tonistiigi @vieux @nishanttotla @GordonTheTurtle