search

SUSE / Portus

Authorization service and frontend for Docker registry (v2)
http://port.us.org/
Apache License 2.0
3k stars 471 forks source link

Unable to delete repository & tags #2335

Open miraclecoco opened 3 years ago

miraclecoco commented 3 years ago

I was properly installed Portus and Registry. But I can't delete the pushed repository and one of its tags, after that, I was accessing the registry logs, it reports an error insufficient scope. I have audited the Portus source code, but I can't figure out what the problem caused.

Here's my compose file

image

It works properly

image

Response from https://registry.docker.local:5002/v2/token?account=portus&scope=repository%3Amariadb%3Aall&service=registry.docker.local%3A5000

image image

Response from https://registry.docker.local:5002/v2/token?account=portus&scope=repository%3Amariadb%3Adelete&service=registry.docker.local%3A5000

image image

Here's HTTP handler shown in app/controllers/api/v2/tokens_controller.rb

image

and related policy shown in app/policies/namespace_policy.rb

image

The key to the problem is policy delete? is an alias to all? and It will work properly when I request all action. But, when I request delete action, It responded I an empty access list. I think some magic procedure performed here, but I can't find it.

miraclecoco commented 3 years ago

I've tried to test all permissions that info 'NamespacePolicy' with request https://registry.docker.local:5002/v2/token?account=portus&scope=repository%3Amariadb%3Aowner,show,push,pull,index,create,destroy,update,all,change_visibility,change_team,owner,contributor,viewer,member&service=registry.docker.local%3A5000

It responded

{"token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IkhBU1c6UFBHVDpGT0FCOkQyT0U6RzRGQzpJVk9FOkpBVkw6SzZZSTpXQU01Ok1VSFI6SzJBWTpTQzI3In0.eyJpc3MiOiJyZWdpc3RyeS5kb2NrZXIubG9jYWwiLCJzdWIiOiJwb3J0dXMiLCJhdWQiOiJyZWdpc3RyeS5kb2NrZXIubG9jYWw6NTAwMCIsImlhdCI6MTYxMTkyMzMzMywibmJmIjoxNjExOTIzMzI4LCJleHAiOjE2MTE5MjM2MzMsImp0aSI6IngyWlllSE5NeXlxZldDdThzaWRicGpTQ0Z0bUhEQVd4eVQxOWZoRXl5TiIsImFjY2VzcyI6W3sidHlwZSI6InJlcG9zaXRvcnkiLCJuYW1lIjoibWFyaWFkYiIsImFjdGlvbnMiOlsic2hvdyIsInB1c2giLCJwdWxsIiwiaW5kZXgiLCJjcmVhdGUiLCJ1cGRhdGUiLCJhbGwiLCJjaGFuZ2VfdmlzaWJpbGl0eSIsImNoYW5nZV90ZWFtIl19XX0.uciId9AKi9bPWlKyHYMLIaa6-g0hgpWhf9IGnHPsSGkDeZZ_Wz-d50UeerXEi7_To9168ToG_xQpFgmjmUiLZhXt6Fz1eNZqCcgiYIgEhBBzxEbkOJBvh0B8OmC-ossCxKgQ-Ob0akBsEeUL96mZ-NEI9EAlzF9UjQpoDC7MZ6KeJrlyq7bPlT2oa_yyg2gV-knnUiBUdoLBMPOAksd3oo22Oub9HOU2CYudNBfH5j6JNwMl_VbBBJB4ZhG_J_0o9HQ9chNZzdOPQL_VptFyBN7-3EuXZtgBHt18-zvFkwLlLsXozEBxNbT9e5OOcQB7dt2jcpYz7n1zLFWNnKU7jA","expires_in":300,"issued_at":"2021-01-29T12:28:53+00:00"}

and the payload decoded from Jwt token

{
  "iss": "registry.docker.local",
  "sub": "portus",
  "aud": "registry.docker.local:5000",
  "iat": 1611923333,
  "nbf": 1611923328,
  "exp": 1611923633,
  "jti": "x2ZYeHNMyyqfWCu8sidbpjSCFtmHDAWxyT19fhEyyN",
  "access": [
    {
      "type": "repository",
      "name": "mariadb",
      "actions": [
        "show",
        "push",
        "pull",
        "index",
        "create",
        "update",
        "all",
        "change_visibility",
        "change_team"
      ]
    }
  ]
}

but delete did not appear in the access list.

stale[bot] commented 2 years ago

Thanks for all your contributions! This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.