search

anchore / anchore-engine

A service that analyzes docker images and scans for vulnerabilities
Apache License 2.0
1.58k stars 271 forks source link

Problem with Policy Engine authentication #1377

Open leon-marcel opened 2 years ago

leon-marcel commented 2 years ago

Is this a request for help?: Yes

Is this a BUG REPORT or a FEATURE REQUEST? (choose one):

BUG REPORT

**Version of Anchore Engine and Anchore CLI if applicable**: anchore-cli, version 0.9.4 Name: anchore-engine Version: 1.1.0 **What happened**: I Installed anchore-engine on an openshift cluster. I used the Helm-Chart 1.18.0 . My cluster is behind a corporate proxy so i added proxy configuration and custom certificates to the container. If the policy engine tries to fetch "https://toolbox-data.anchore.io/grype/databases/listing.json" an "requests.exceptions.HTTPError: 403 Client Error: AuthorizedOnly for url: https://toolbox-data.anchore.io/grype/databases/listing.json" Error occurs. The certificates are mounted correctly and lay under /home/anchore/certs_override/python . **What did you expect to happen**: I expected that the policy engine can successfully fetch the data from toolbox-data.anchore.io

Any relevant log output from /var/log/anchore: [service:policy-engine] 2022-04-28 09:29:02+0000 [-] Exception in thread Thread-13: [service:policy-engine] 2022-04-28 09:29:02+0000 [-] Traceback (most recent call last): [service:policy-engine] 2022-04-28 09:29:02+0000 [-] File "/usr/local/lib/python3.8/site-packages/anchore_engine/services/policy_engine/engine/feeds/client.py", line 211, in execute_request [service:policy-engine] 2022-04-28 09:29:02+0000 [-] r.raise_for_status() [service:policy-engine] 2022-04-28 09:29:02+0000 [-] File "/usr/local/lib/python3.8/site-packages/requests/models.py", line 953, in raise_for_status [service:policy-engine] 2022-04-28 09:29:02+0000 [-] raise HTTPError(http_error_msg, response=self) [service:policy-engine] 2022-04-28 09:29:02+0000 [-] requests.exceptions.HTTPError: 403 Client Error: AuthorizedOnly for url: https://toolbox-data.anchore.io/grype/databases/listing.json [service:policy-engine] 2022-04-28 09:29:02+0000 [-] [service:policy-engine] 2022-04-28 09:29:02+0000 [-] During handling of the above exception, another exception occurred: [service:policy-engine] 2022-04-28 09:29:02+0000 [-] [service:policy-engine] 2022-04-28 09:29:02+0000 [-] Traceback (most recent call last): [service:policy-engine] 2022-04-28 09:29:02+0000 [-] File "/usr/lib64/python3.8/threading.py", line 932, in _bootstrap_inner [service:policy-engine] 2022-04-28 09:29:02+0000 [-] self.run() [service:policy-engine] 2022-04-28 09:29:02+0000 [-] File "/usr/lib64/python3.8/threading.py", line 870, in run [service:policy-engine] 2022-04-28 09:29:02+0000 [-] self._target(*self._args, **self._kwargs) [service:policy-engine] 2022-04-28 09:29:02+0000 [-] File "/usr/local/lib/python3.8/site-packages/anchore_engine/services/policy_engine/engine/tasks.py", line 186, in [service:policy-engine] 2022-04-28 09:29:02+0000 [-] target=lambda: result.append(task.execute()), [service:policy-engine] 2022-04-28 09:29:02+0000 [-] File "/usr/local/lib/python3.8/site-packages/anchore_engine/services/policy_engine/engine/tasks.py", line 243, in execute [service:policy-engine] 2022-04-28 09:29:02+0000 [-] DataFeeds.sync( [service:policy-engine] 2022-04-28 09:29:02+0000 [-] File "/usr/local/lib/python3.8/site-packages/anchore_engine/services/policy_engine/engine/feeds/sync.py", line 283, in sync [service:policy-engine] 2022-04-28 09:29:02+0000 [-] source_feeds = DataFeeds.get_feed_group_information(feed_client, to_sync) [service:policy-engine] 2022-04-28 09:29:02+0000 [-] File "/usr/local/lib/python3.8/site-packages/anchore_engine/services/policy_engine/engine/feeds/sync.py", line 140, in get_feed_group_information [service:policy-engine] 2022-04-28 09:29:02+0000 [-] source_feeds = { [service:policy-engine] 2022-04-28 09:29:02+0000 [-] File "/usr/local/lib/python3.8/site-packages/anchore_engine/services/policy_engine/engine/feeds/sync.py", line 143, in [service:policy-engine] 2022-04-28 09:29:02+0000 [-] "groups": feed_client.list_feed_groups(x.name).groups, [service:policy-engine] 2022-04-28 09:29:02+0000 [-] File "/usr/local/lib/python3.8/site-packages/anchore_engine/services/policy_engine/engine/feeds/client.py", line 532, in list_feed_groups [service:policy-engine] 2022-04-28 09:29:02+0000 [-] raw_db_listing = self._list_feed_groups() [service:policy-engine] 2022-04-28 09:29:02+0000 [-] File "/usr/local/lib/python3.8/site-packages/anchore_engine/services/policy_engine/engine/feeds/client.py", line 509, in _list_feed_groups [service:policy-engine] 2022-04-28 09:29:02+0000 [-] listing_response = self.http_client.execute_request( [service:policy-engine] 2022-04-28 09:29:02+0000 [-] File "/usr/local/lib/python3.8/site-packages/anchore_engine/services/policy_engine/engine/feeds/client.py", line 226, in execute_request [service:policy-engine] 2022-04-28 09:29:02+0000 [-] self._map_error_to_exception(e, username=self.user, url=url) [service:policy-engine] 2022-04-28 09:29:02+0000 [-] File "/usr/local/lib/python3.8/site-packages/anchore_engine/services/policy_engine/engine/feeds/client.py", line 129, in _map_error_to_exception [service:policy-engine] 2022-04-28 09:29:02+0000 [-] raise InsufficientAccessTierError( [service:policy-engine] 2022-04-28 09:29:02+0000 [-] anchore_engine.services.policy_engine.engine.feeds.client.InsufficientAccessTierError: Access denied due to insufficient permissions for user: None

What docker images are you using: anchore/anchore-engine:v1.1.0

How to reproduce the issue:

Anything else we need to know: Before i added the certificates i got an certificate signed by unknown authority error.