opencontainers / tob

Technical Oversight Board (TOB)
https://groups.google.com/a/opencontainers.org/forum/#!forum/tob
Apache License 2.0
80 stars 50 forks source link

Working group proposal for auth #119

Closed sudo-bmitch closed 1 year ago

sudo-bmitch commented 2 years ago

Signed-off-by: Brandon Mitchell git@bmitch.net

This PR proposes a new working group to specify authentication and authorization between registries and clients.

References:

toddysm commented 1 year ago

@sudo-bmitch I guess this WG will address https://github.com/opencontainers/distribution-spec/issues/338 - correct?

sudo-bmitch commented 1 year ago

@sudo-bmitch I guess this WG will address https://github.com/opencontainers/distribution-spec/issues/338 - correct?

Yes, that should be addressed by the WG.

dmcgowan commented 1 year ago

I agree with having the working group for drafting the spec. It was unclear from the scope where there is any "new" functionality or use cases which this group is also aiming to support/investigate. I would consider "new" to be cases not currently support by a majority of clients/registries.

sudo-bmitch commented 1 year ago

I agree with having the working group for drafting the spec. It was unclear from the scope where there is any "new" functionality or use cases which this group is also aiming to support/investigate. I would consider "new" to be cases not currently support by a majority of clients/registries.

There are probably some edge cases, but a majority of the effort will be standardizing something that should work with existing servers and clients. Do we need new functionality to be a working group?

dmcgowan commented 1 year ago

@sudo-bmitch no, just to avoid scope creep and a never ending working group. Most the efforts to standardize existing behavior allowed limited new functionality, except for known limitations/pain points.

sagikazarmark commented 1 year ago

I'm glad to see this is happening.

I have a working implementation of the Docker registry authorization server spec here: https://github.com/distribution-auth/auth

I've spent some time with registry authnz lately, so I'd be happy to help however I can (work on spec, tinker with implementation, etc)

sudo-bmitch commented 1 year ago

Volunteers for stakeholders and proposed owners are welcome/needed.

vsoch commented 1 year ago

There has been some discussion in the ORAS community about use of the Docker credential file in this flow (about how many tools do it but it’s not a standard) so I’d like to suggest this is considered to be in scope here. It would be ideal to have the full flow from defining the credential through authorization standardized for common tooling and less adhoc standards in the space as we have now.

toddysm commented 1 year ago

@sudo-bmitch what are the next steps for this WG? I will be interested to participate because we are regularly hitting issues with auth with various registries.

sudo-bmitch commented 1 year ago

@toddysm proposed owners/stakeholders are needed. Feel free to nominate yourself and/or projects you represent.

jcarter3 commented 1 year ago

I'm happy to represent Docker Hub

imjasonh commented 1 year ago

I'm willing to represent Chainguard.

What more do we need to get this moving?

sajayantony commented 1 year ago

Looks like we have enough stake holders. Request the @opencontainers/tob to consider kicking this off.

samuelkarp commented 1 year ago

I'll call the vote for @opencontainers/tob. Please approve, request changes, reply with LGTM, or not (and hopefully say why!).

A 2/3 approval is required here, so 6/9 of the TOB members must approve.

sudo-bmitch commented 1 year ago

LGTM

dmcgowan commented 1 year ago

LGTM

jdolitsky commented 1 year ago

got 6 out of 9 votes, merging