Open miraclecoco opened 3 years ago
I've tried to test all permissions that info 'NamespacePolicy' with request https://registry.docker.local:5002/v2/token?account=portus&scope=repository%3Amariadb%3Aowner,show,push,pull,index,create,destroy,update,all,change_visibility,change_team,owner,contributor,viewer,member&service=registry.docker.local%3A5000
It responded
{"token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IkhBU1c6UFBHVDpGT0FCOkQyT0U6RzRGQzpJVk9FOkpBVkw6SzZZSTpXQU01Ok1VSFI6SzJBWTpTQzI3In0.eyJpc3MiOiJyZWdpc3RyeS5kb2NrZXIubG9jYWwiLCJzdWIiOiJwb3J0dXMiLCJhdWQiOiJyZWdpc3RyeS5kb2NrZXIubG9jYWw6NTAwMCIsImlhdCI6MTYxMTkyMzMzMywibmJmIjoxNjExOTIzMzI4LCJleHAiOjE2MTE5MjM2MzMsImp0aSI6IngyWlllSE5NeXlxZldDdThzaWRicGpTQ0Z0bUhEQVd4eVQxOWZoRXl5TiIsImFjY2VzcyI6W3sidHlwZSI6InJlcG9zaXRvcnkiLCJuYW1lIjoibWFyaWFkYiIsImFjdGlvbnMiOlsic2hvdyIsInB1c2giLCJwdWxsIiwiaW5kZXgiLCJjcmVhdGUiLCJ1cGRhdGUiLCJhbGwiLCJjaGFuZ2VfdmlzaWJpbGl0eSIsImNoYW5nZV90ZWFtIl19XX0.uciId9AKi9bPWlKyHYMLIaa6-g0hgpWhf9IGnHPsSGkDeZZ_Wz-d50UeerXEi7_To9168ToG_xQpFgmjmUiLZhXt6Fz1eNZqCcgiYIgEhBBzxEbkOJBvh0B8OmC-ossCxKgQ-Ob0akBsEeUL96mZ-NEI9EAlzF9UjQpoDC7MZ6KeJrlyq7bPlT2oa_yyg2gV-knnUiBUdoLBMPOAksd3oo22Oub9HOU2CYudNBfH5j6JNwMl_VbBBJB4ZhG_J_0o9HQ9chNZzdOPQL_VptFyBN7-3EuXZtgBHt18-zvFkwLlLsXozEBxNbT9e5OOcQB7dt2jcpYz7n1zLFWNnKU7jA","expires_in":300,"issued_at":"2021-01-29T12:28:53+00:00"}
and the payload decoded from Jwt token
{
"iss": "registry.docker.local",
"sub": "portus",
"aud": "registry.docker.local:5000",
"iat": 1611923333,
"nbf": 1611923328,
"exp": 1611923633,
"jti": "x2ZYeHNMyyqfWCu8sidbpjSCFtmHDAWxyT19fhEyyN",
"access": [
{
"type": "repository",
"name": "mariadb",
"actions": [
"show",
"push",
"pull",
"index",
"create",
"update",
"all",
"change_visibility",
"change_team"
]
}
]
}
but delete
did not appear in the access list.
Thanks for all your contributions! This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.
I was properly installed Portus and Registry. But I can't delete the pushed repository and one of its tags, after that, I was accessing the registry logs, it reports an error
insufficient scope
. I have audited the Portus source code, but I can't figure out what the problem caused.Here's my compose file
It works properly
Response from
https://registry.docker.local:5002/v2/token?account=portus&scope=repository%3Amariadb%3Aall&service=registry.docker.local%3A5000
Response from
https://registry.docker.local:5002/v2/token?account=portus&scope=repository%3Amariadb%3Adelete&service=registry.docker.local%3A5000
Here's HTTP handler shown in
app/controllers/api/v2/tokens_controller.rb
and related policy shown in
app/policies/namespace_policy.rb
The key to the problem is policy
delete?
is an alias toall?
and It will work properly when I requestall
action. But, when I requestdelete
action, It responded I an empty access list. I think some magic procedure performed here, but I can't find it.