search

notaryproject / notary

Notary is a project that allows anyone to have trust over arbitrary collections of data
Apache License 2.0
3.23k stars 511 forks source link

notary server with token auth #1137

Open ac-obair opened 7 years ago

ac-obair commented 7 years ago

Hi there,

I've enabled token auth on the notary endpoint. But i'm not sure how to use it, the api now shows authorization required which is great, but docker pull shows:

you are not authorized to perform this operation: server returned 401.

I'm logged into a private registry that uses the same token auth service. What have I missed?

Update1

From docs Notary server optionally supports authentication from clients using JWT tokens. This requires an authorization server that manages access controls, and a cert bundle from this authorization server containing the public key it uses to sign tokens.

Apparently what I missed was step 1 -_____-. I had the wrong cert bundle in there.

Update2

A more interesting question might be if my config looks like this 

  "repositories": {
    "gun_prefixes": ["docker.io/", "registry.domain.com/"]
  }

and my private notary server is using 

      "rootcertbundle": "/oauth/server.pem"

When I push and pull from my private registry everything works great but when I try to use docker.io 

docker pull alpine:latest
Error: error contacting notary server: unauthorized: authentication required

I was hoping I could configure gun_prefix for certain trusts like alpine while keeping the rest internal.

endophage commented 7 years ago

The notary server is not doing any proxying. The gun_prefixes are the prefixes that can be serviced by that notary server. You could host you own notary data for the official alpine image but it doesn't sound like that's what you're trying to do.

To use the docker hosted notary servers that contain trust data for repositories like alpine you will want to unset the DOCKER_CONTENT_TRUST_SERVER environment variable, or alternatively, set it to https://notary.docker.io (this URL is the default in the docker binary).

ac-obair commented 7 years ago

It'd be nice to say I trust image x y and z from docker.io/library or some other internal registry like dev.reg.domain but have the env vars are still set to my local Reg and local Notary, basically white listing images from certain registries to the Norary.

endophage commented 7 years ago

There is work going on in containerd to help separate name from location and I think this would fit in well there. We're already considering how to integrate the trust pinning logic with those changes and it would make sense to also include a mapping of image name -> notary server as part of that configuration.

endophage commented 7 years ago

Also, because it might work for you, notary is design to work in tandem with a registry, so if you put a reverse proxy (i.e. nginx) in front, you can do path based routing between the registry and notary servers. This means you don't need to configure the DOCKER_CONTENT_TRUST_SERVER at all, as docker will always attempt to use the hostname from an image name as the location of a notary server (just as it does for a registry). With the env var left unconfigured, docker will still go to the official notary server for any docker hub/cloud images.