From e43b271676037eac02ee0e471d9a8c7d238423f7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miloslav=20Trma=C4=8D?= Date: Wed, 8 Aug 2018 00:29:53 +0200 Subject: [PATCH] Fix requested token actions when deleting images MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit https://github.com/docker/distribution/blob/master/docs/spec/auth/scope.md does not document the action necessary for deleting images. For docker/distribution, we need "pull" to be able to read the manifest, and "delete" to delete it. Until docker/distribution commit ccb839e0e30c3b6992fb4084dfd6550d0ddd4d1a (Jan 3 2017), the action checked for deleting manifests was "*". For Quay.io, only "push" is sufficient for both; and although https://github.com/docker/distribution/blob/master/docs/spec/auth/jwt.md says that requesting permissions that the server does not grant should not be an error, quay.io refuses to even parse a request which contains a "delete" action and does not grant any token. This should not affect OpenShift, where the token is an API token and does not actually include any scopes or permissions; (that is also probably why noone has noticed before). Overall, "*" seems to be the only common action specification; luckily both docker/distribution and Quay.io seem to treat it as "all actions allowed" (which is _not_ documented in the spec, but then again, nothing about actions for deleting images is documented). Signed-off-by: Miloslav Trmač --- docker/docker_image_src.go | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/docker/docker_image_src.go b/docker/docker_image_src.go index 98f6067e1e..46145dff64 100644 --- a/docker/docker_image_src.go +++ b/docker/docker_image_src.go @@ -310,7 +310,14 @@ func (s *dockerImageSource) getSignaturesFromAPIExtension(ctx context.Context, i // deleteImage deletes the named image from the registry, if supported. func deleteImage(ctx context.Context, sys *types.SystemContext, ref dockerReference) error { - c, err := newDockerClientFromRef(sys, ref, true, "push") + // docker/distribution does not document what action should be used for deleting images. + // + // Current docker/distribution requires "pull" for reading the manifest and "delete" for deleting it. + // quay.io requires "push" (an explicit "pull" is unnecessary), does not grant any token (fails parsing the request) if "delete" is included. + // OpenShift ignores the action string (both the password and the token is an OpenShift API token identifying a user). + // + // We have to hard-code a single string, luckily both docker/distribution and quay.io support "*" to mean "everything". + c, err := newDockerClientFromRef(sys, ref, true, "*") if err != nil { return err }