Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unclear documentation when not using token based authentication #1783

Open
simenon opened this issue Sep 27, 2024 · 3 comments
Open

Unclear documentation when not using token based authentication #1783

simenon opened this issue Sep 27, 2024 · 3 comments

Comments

@simenon
Copy link

simenon commented Sep 27, 2024

When disabling token authentication with TOKEN_AUTH_DISABLED=True, the manual at https://pulpproject.org/pulp_container/docs/admin/learn/authentication/#basic-authentication states that Basic authentication or Remote Webserver authentication is used as a default authentication method depending on a particular configuration.

Reading at Basic Authentication it says
All users are permitted to pull content from the Registry without any limitations because the concept of private repositories is not adopted once token authentication is disabled. But, only users with staff permissions are allowed to push content to the Registry.

The same goes for Remote Webserver Authentication
Similarly to basic authentication, all users can pull content from the Registry without limitations and only staff is allowed to push new content to the Registry.

However the below situation fails, even if the user is staff

pulp user create --username podman --password podmanpass --staff
{
  "pulp_href": "/pulp/api/v3/users/3/",
  "id": 3,
  "username": "podman",
  "first_name": "",
  "last_name": "",
  "email": "",
  "is_staff": true,
  "is_active": true,
  "date_joined": "2024-09-27T16:46:00.977241Z",
  "groups": [],
  "hidden_fields": [
    {
      "name": "password",
      "is_set": true
    }
  ]
}

pulp container namespace create --name foo
{
  "pulp_href": "/pulp/api/v3/pulp_container/namespaces/01923460-de26-7225-90ca-7a96031dc6af/",
  "pulp_created": "2024-09-27T16:46:56.550470Z",
  "pulp_last_updated": "2024-09-27T16:46:56.550480Z",
  "name": "foo"
}

pulp container namespace role add --name foo --user podman --role container.containernamespace_collaborator
{
  "users": [
    "podman"
  ],
  "groups": [],
  "role": "container.containernamespace_collaborator"
}

podman login localhost:8080 -u podman -p podmanpass
podman push localhost:8080/foo/ubi8:latest --remove-signatures
Copying blob 6d8497fe2023 [--------------------------------------] 8.0b / 202.5MiB | 4.5 KiB/s
Error: writing blob: initiating layer upload to /v2/foo/ubi8/blobs/uploads/ in localhost:8080: denied: Access to the requested resource is not authorized.

In a discussion on elements ipanova mentioned that it should be super-user and not staff. Hence making the documentation super confusing.

Suggest to clarify the documentation that it mention super-user instead of staff if not using token authentication if you want to push images to the registry

@lubosmj
Copy link
Member

lubosmj commented Sep 30, 2024

if request.user.is_superuser:

@lubosmj
Copy link
Member

lubosmj commented Sep 30, 2024

Yes, we need to update the docs. Thanks for opening the issue.

  • Regular users have no admin access or permissions.
  • Staff users (admins) can log into the admin interface (admin UI) but have restricted permissions based on what they are explicitly assigned (when it comes to pushing content, the admins have no permissions if the token authentication is disabled).
  • Superusers (a special subset of admins) have complete access and all permissions, without needing additional configuration, and are allowed to push content to Pulp.

@ipanova
Copy link
Member

ipanova commented Sep 30, 2024

Seems like we just forgot to update the docs https://github.com/pulp/pulp_container/pull/1110/files

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
Status: Not Started
Development

No branches or pull requests

3 participants