Feature request: command to list all GUNs on a remote server

[dnwake]

We already have the "notary list" command, but it requires the user to supply a GUN.

It would be useful to be able to iterate through all the GUNs on a remote server. A sample use case is renaming a host running Docker registry. The user will want to take a series of GUNs of the form "oldhostname/path/to/repo" and create duplicate GUNs (with the same targets / digests) with the form "newhostname/path/to/repo".

[HuKeping]

Hi @dnwake , I actually had considered this when I had came into such a use case that

"people may would like to know which images on the image_list_page(the web front end) are signed and can be trusted"

So if there is an API that can list all the GUNs' status on the notary service, it would be helpful.

But since the service(not the notary service, I mean the whole docker hub service) we provided is a multi-tenants-enabled service, an API list all the GUNs will cause the leaking of information which was not acceptable.

Besides, one notary service could be used by many registry, it seems not a right thing to list the image information of one registry server to the others.

[dnwake]

@HuKeping

How about a list of GUNs with a delegation to a particular key?

[endophage]

@dnwake a delegated key does not automatically equal access to the GUN. The authz on docker hub may have been updated to revoke a user's access, though their delegation key may not have been removed as a signer yet. You also shouldn't be able to arbitrarily list GUNs for any delegation key as providing a key ID is not proof of authorization.

I'll talk to the hub team and see how they do it with respect to the existing token auth notary leveraged. We'll have to work out the authz piece so a user can only list GUNs they have access to, then subsequently we can apply a range of filters to those GUNs they are interested in based on key ID or some other factor (i.e. org/account name, GUN prefix, etc...)

[dnwake]

@endophage What if you also provide the key?

[endophage]

Doesn't matter. If you're a delegate and the admin has revoked your authz and for any reason hasn't removed your signing key yet, you still shouldn't have access. Maybe they're AFK so can't sign but can access docker hub through a mobile device to respond to an immediate problem.

[endophage]

The changefeed functionality adds an initial use of the catalog token. We could now add this feature using that token for auth. The current configuration of docker's token server would only issue these catalog tokens to admin users.

[taha-au]

we're getting bit by the lack of this feature 4 years later. any plans to implement this?