search

SUSE / Portus

Authorization service and frontend for Docker registry (v2)
http://port.us.org/
Apache License 2.0
2.99k stars 472 forks source link

How to display an already created Application Token? #1867

Closed Martin-Weiss closed 6 years ago

Martin-Weiss commented 6 years ago

Description

After a new Application Token is created it is displayed once in the web-browser and then added to some application using authentication against the registry through Portus.

Now an other server in a cluster should use the same Token but it can not be retrieved from the first client.

How can we display an already created application token a second time?

Steps to reproduce

  1. create application token
  2. close browser
  3. login to portus again and try to display an already existing application token.

--> any idea how this could be done?

ArcticSnowman commented 6 years ago

You can't.. it's designed that way to prevent it being hacked out..

Just create a new one and save that some place secure to use on each node..

Martin-Weiss commented 6 years ago

Hm - saving somewhere else might not also be more secure and we have the token just because it is stored in clear-text on the docker config file, anyway... - so "secure" is something completely different ;-). I assume the token is stored in the database anyway and I might be able to retrieve it from there? Otherwise one might just find it in a backup of ~/.docker/config.json...

ArcticSnowman commented 6 years ago

at least your ~/.docker should be only readable by your self (or root).. So it has some level of security.. I sometime store mine in a passsword keeper like keeper or keypass or some such..

mssola commented 6 years ago

I assume the token is stored in the database anyway and I might be able to retrieve it from there?

No. As @ArcticSnowman says, we do not store the generated plain token on the DB (we only store its encrypted version). The plain text is only shown after generating it, but then Portus does not know about it, and this is done on purpose for security reasons (imagine that your DB has been compromised). This is the same idea as to why Portus doesn't store plain passwords into the DB.

As for the ~/.docker/config.json configuration file, it's quite unfortunate that saving passwords in plain text is the default behavior, but you can avoid this with docker-credential-helpers. I use the secretservice locally, and then the only thing stored in the ~/.docker/config.json file is:

{
        "auths": {
                "registry.mssola.cat:5000": {}
        },
        "HttpHeaders": {
                "User-Agent": "Docker-Client/17.09.1-ce (linux)"
        },
        "credsStore": "secretservice"
}

The service to be used depends on the OS, but regardless to which one it is, it will save passwords safely.

I'll close this issue now, since I think it's solved, but feel free to leave more comments if you have further doubts :+1:

mssola commented 6 years ago

Note that if you are using openSUSE/SLE you can install this secretservice package in obs://Virtualization:containers.