search

goharbor / harbor

An open source trusted cloud native registry project that stores, signs, and scans content.
https://goharbor.io
Apache License 2.0
23.43k stars 4.7k forks source link

nerdctl authentication issue wtih custom token service #19588

Open l2dy opened 9 months ago

l2dy commented 9 months ago

Expected behavior and actual behavior: I'm trying to use nerdctl push on a private Harbor registry with Bearer authentication and a custom token service, but the command fails with 401 Unauthorized. After further investigation, it seems to be an interoperability issue between nerdctl and Harbor registries that have disabled basic authentication.

When nerdctl requests GET /v2/<name>/blobs/<digest>, the registry returns a WWW-Authenticate header that asks the client to request for a Bearer token with the scope of repository:<name>:pull from the specified realm. nerdctl would faithfully do so and retry the request with the right credentials, so far so good.

But when nerdctl reuses the same token for POST /v2/<name>/blobs/uploads/ requests, the scope required is repository:<name>:pull,push, so this request is denied and the registry returns 401 Unauthorized. The problem is that when a request contains a Authorization header but failed to authenticate, Harbor uses Basic realm="harbor" as the authentication challenge, instead of the token service configured.

https://github.com/goharbor/harbor/blob/6113469a567623054a58d0f5506b90a55adca7ff/src/server/middleware/v2auth/auth.go#L95-L98

The registry I'm accessing exclusively relies on Bearer tokens for authentication and has been configured to deny all requests with basic auth. Being mislead by the new WWW-Authenticate header, all subsequent requests made by nerdctl will fail.

Steps to reproduce the problem:

  1. Set up a Harbor registry with a custom token service.
  2. nerdctl push an image to the registry.

Versions: Please specify the versions of following systems.

AllForNothing commented 9 months ago

Can you share the story of why you need a customized token service?

l2dy commented 9 months ago

Can you share the story of why you need a customized token service?

For historical reasons, we have two internal identity management services to integrated with, and our teams decided to build a separate token service for better maintainability.

github-actions[bot] commented 7 months ago

This issue is being marked stale due to a period of inactivity. If this issue is still relevant, please comment or remove the stale label. Otherwise, this issue will close in 30 days.

l2dy commented 7 months ago

Issue is still relevant.

github-actions[bot] commented 5 months ago

This issue is being marked stale due to a period of inactivity. If this issue is still relevant, please comment or remove the stale label. Otherwise, this issue will close in 30 days.

l2dy commented 5 months ago

@wy65701436 Any interest in fixing this issue?

github-actions[bot] commented 3 months ago

This issue is being marked stale due to a period of inactivity. If this issue is still relevant, please comment or remove the stale label. Otherwise, this issue will close in 30 days.

l2dy commented 3 months ago

Help wanted.

github-actions[bot] commented 1 month ago

This issue is being marked stale due to a period of inactivity. If this issue is still relevant, please comment or remove the stale label. Otherwise, this issue will close in 30 days.

l2dy commented 1 month ago

Help wanted.