Open d4l3k opened 2 years ago
Oh hmm... AWS ECR doesn't have the scope field:
Basic realm="https://<id>.dkr.ecr.us-west-2.amazonaws.com/",service="ecr.amazonaws.com"
Yes we might need to look into that! And gosh I just realized that Reggie is here - so maybe an extra implementation that people could use wouldn’t be the worst idea! I don’t think the library beyond Reggie is super useful at the moment.
The auth logic seems a little bit buggy. I fixed the scope issue but still am getting not authorized errors.
Traceback (most recent call last):
File "/home/tristanr/venvs/torchx/lib/python3.9/site-packages/requests-2.27.1-py3.9.egg/requests/models.py", line 910, in json
return complexjson.loads(self.text, **kwargs)
File "/usr/lib/python3.9/json/__init__.py", line 346, in loads
return _default_decoder.decode(s)
File "/usr/lib/python3.9/json/decoder.py", line 337, in decode
obj, end = self.raw_decode(s, idx=_w(s, 0).end())
File "/usr/lib/python3.9/json/decoder.py", line 355, in raw_decode
raise JSONDecodeError("Expecting value", s, err.value) from None
json.decoder.JSONDecodeError: Expecting value: line 1 column 1 (char 0)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/home/tristanr/Developer/torchx/torchx/schedulers/oci_patch.py", line 80, in <module>
resp = src.Do(req)
File "/home/tristanr/Developer/oci-python/opencontainers/distribution/reggie/client.py", line 168, in Do
response = self.retryRequestWithAuth(req, response)
File "/home/tristanr/Developer/oci-python/opencontainers/distribution/reggie/client.py", line 207, in retryRequestWithAuth
info = authResponse.json()
File "/home/tristanr/venvs/torchx/lib/python3.9/site-packages/requests-2.27.1-py3.9.egg/requests/models.py", line 917, in json
raise RequestsJSONDecodeError(e.msg, e.doc, e.pos)
requests.exceptions.JSONDecodeError: [Errno Expecting value] Not Authorized
Though just using the raw endpoints isn't that much more work:
upload_url = dst_endpoint + f"/v2/{dst_name}/blobs/uploads/"
resp = requests.post(
upload_url,
auth=(user, pass),
)
It’s probably overly complicated for what it needs to do, I agree - I was mimicking the design of Reggie in go.
If you can make for me an image and credentials to test (or something else to reproduce this error) I can fix it up this weekend.
And thanks for testing it out and finding the bug!
Hi @vsoch, thanks for the client. We have been using it in a prototype for oci artifacts.
There is one part of the www-authenticate
challenge missing from this. The type of credential. Along with Basic
there is also Bearer
.
You can see it in go reggie here: https://github.com/bloodorangeio/reggie/blob/2178581d74d9619e147864fb9ce4c60f1f656b83/auth.go#L48-L82
would it be possible to include the first token in your AuthHeader, and switch on it in the retry? We could also PR this too. thanks again!
@ekoepfle a PR would be great! The auth here has gotten a bit muddled, to be honest. It started with token, then I think I switched to Basic trying to fix issues for a particular registry, and the design isn't very good to be able to switch.
TLDR: would greatly appreciate a PR!
cool, will see what we can put up
Ran into this bug when trying to use password authentication. Seems to just be a small typo:
Think it should be
scope
https://github.com/vsoch/oci-python/blob/master/opencontainers/distribution/reggie/client.py#L231