Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Public project]Re-push a deleted Chart via Helm V3 fails by 401 #11271

Closed
wy65701436 opened this issue Mar 25, 2020 · 2 comments
Closed

[Public project]Re-push a deleted Chart via Helm V3 fails by 401 #11271

wy65701436 opened this issue Mar 25, 2020 · 2 comments
Assignees
@reasonerjt
Labels
target/2.0.0
Milestone
Sprint 83

Comments

@wy65701436
Copy link
Contributor

wy65701436 commented Mar 25, 2020
edited
Loading

  • push one chart with helm v3
  • delete it in harbor
  • Re-push it

After that, I get a 401.

The push refers to repository [10.193.21.1/library/dummy-chart]
ref:     10.193.21.1/library/dummy-chart:0.1.0
digest:  3e94f4f36ce87478ab22cbb459aa2f93f45b0f0635407cd81cb5262d7c509a3b
size:    3.2 KiB
name:    dummy-chart
version: 0.1.0
Error: failed commit on ref "manifest-sha256:a8c04b6060af0ac7bfa315203ba917371808adfc57630014563efe85f3bd56b2": unexpected status: 401 Unauthorized

The root cause is probably that Harbor returns 200 to helm for the manifest head request, and helm client doesn't take auth header in the following PUT request.

Same thing happens on docker app push
@wy65701436 wy65701436 changed the title Re-push a deleted Chart via Helm V3 fails by 401 [Public project]Re-push a deleted Chart via Helm V3 fails by 401 Mar 25, 2020
@wy65701436 wy65701436 added the needs/triage triage issue before assigning label Mar 25, 2020
@reasonerjt reasonerjt self-assigned this Mar 26, 2020
@reasonerjt
Copy link
Contributor

This is related to #11266

Current response in /v2 breaks some existing CLI tools when they push artifact to public projects.

@wy65701436 wy65701436 mentioned this issue Mar 26, 2020
Closed
ywk253100 added a commit to ywk253100/harbor that referenced this issue Mar 26, 2020
@ywk253100
Support replicate images with media type application/vnd.docker.distr…
4940c29 
…ibution.manifest.v1+json

Fixes goharbor#11271, support replicate images with media type application/vnd.docker.distribution.manifest.v1+json

Signed-off-by: Wenkai Yin <[email protected]>
@ywk253100 ywk253100 mentioned this issue Mar 26, 2020
Merged
@reasonerjt reasonerjt added this to the Sprint 83 milestone Mar 30, 2020
@reasonerjt reasonerjt removed the needs/triage triage issue before assigning label Mar 31, 2020
reasonerjt added a commit to reasonerjt/harbor that referenced this issue Apr 2, 2020
@reasonerjt
Reenable token auth for cli
d2cda95 
* Redirect CLI "ping" to token endpooint

Docker CLI fails if it's not logged in upon seeing "basic" realm challenging while pinging the "/v2" endpoint. (goharbor#11266)
Some CLI will send HEAD to artifact endpoint before pushing (goharbor#11188)(goharbor#11271)

To fix such problems, this commit re-introduce the token auth flow to the CLIs.

For a request to "/v2/xxx" with no "Authoirzation" header, the v2_auth middleware populates the
"Www-Authenticate" header to redirect it to token endpoint with proper
requested scope.

It also adds security context to based on the content of the JWT which has the claims of the registry.  So a request from CLI carrying a token signed by the "/service/token" will have proper permissions.

Signed-off-by: Daniel Jiang <[email protected]>
reasonerjt added a commit to reasonerjt/harbor that referenced this issue Apr 2, 2020
@reasonerjt
Reenable token auth for cli
3895803 
Docker CLI fails if it's not logged in upon seeing "basic" realm challenging while pinging the "/v2" endpoint. (goharbor#11266)
Some CLI will send HEAD to artifact endpoint before pushing (goharbor#11188)(goharbor#11271)

To fix such problems, this commit re-introduce the token auth flow to the CLIs.

For a request to "/v2/xxx" with no "Authoirzation" header, the v2_auth middleware populates the
"Www-Authenticate" header to redirect it to token endpoint with proper
requested scope.

It also adds security context to based on the content of the JWT which has the claims of the registry.
So a request from CLI carrying a token signed by the "/service/token" will have proper permissions.

Signed-off-by: Daniel Jiang <[email protected]>
reasonerjt added a commit to reasonerjt/harbor that referenced this issue Apr 2, 2020
@reasonerjt
Reenable token auth for cli
3820f4a 
Docker CLI fails if it's not logged in upon seeing "basic" realm challenging while pinging the "/v2" endpoint. (goharbor#11266)
Some CLI will send HEAD to artifact endpoint before pushing (goharbor#11188)(goharbor#11271)

To fix such problems, this commit re-introduce the token auth flow to the CLIs.

For a request to "/v2/xxx" with no "Authoirzation" header, the v2_auth middleware populates the
"Www-Authenticate" header to redirect it to token endpoint with proper
requested scope.

It also adds security context to based on the content of the JWT which has the claims of the registry.
So a request from CLI carrying a token signed by the "/service/token" will have proper permissions.

Signed-off-by: Daniel Jiang <[email protected]>
reasonerjt added a commit to reasonerjt/harbor that referenced this issue Apr 2, 2020
@reasonerjt
Reenable token auth for cli
9c28098 
Docker CLI fails if it's not logged in upon seeing "basic" realm challenging while pinging the "/v2" endpoint. (goharbor#11266)
Some CLI will send HEAD to artifact endpoint before pushing (goharbor#11188)(goharbor#11271)

To fix such problems, this commit re-introduce the token auth flow to the CLIs.

For a request to "/v2/xxx" with no "Authoirzation" header, the v2_auth middleware populates the
"Www-Authenticate" header to redirect it to token endpoint with proper
requested scope.

It also adds security context to based on the content of the JWT which has the claims of the registry.
So a request from CLI carrying a token signed by the "/service/token" will have proper permissions.

Signed-off-by: Daniel Jiang <[email protected]>
@reasonerjt reasonerjt mentioned this issue Apr 2, 2020
Merged
reasonerjt added a commit to reasonerjt/harbor that referenced this issue Apr 2, 2020
@reasonerjt
Reenable token auth for cli
a99b931 
Docker CLI fails if it's not logged in upon seeing "basic" realm challenging while pinging the "/v2" endpoint. (goharbor#11266)
Some CLI will send HEAD to artifact endpoint before pushing (goharbor#11188)(goharbor#11271)

To fix such problems, this commit re-introduce the token auth flow to the CLIs.

For a request to "/v2/xxx" with no "Authoirzation" header, the v2_auth middleware populates the
"Www-Authenticate" header to redirect it to token endpoint with proper
requested scope.

It also adds security context to based on the content of the JWT which has the claims of the registry.
So a request from CLI carrying a token signed by the "/service/token" will have proper permissions.

Signed-off-by: Daniel Jiang <[email protected]>
reasonerjt added a commit to reasonerjt/harbor that referenced this issue Apr 3, 2020
@reasonerjt
Reenable token auth for cli
ff23afa 
Docker CLI fails if it's not logged in upon seeing "basic" realm challenging while pinging the "/v2" endpoint. (goharbor#11266)
Some CLI will send HEAD to artifact endpoint before pushing (goharbor#11188)(goharbor#11271)

To fix such problems, this commit re-introduce the token auth flow to the CLIs.

For a request to "/v2/xxx" with no "Authoirzation" header, the v2_auth middleware populates the
"Www-Authenticate" header to redirect it to token endpoint with proper
requested scope.

It also adds security context to based on the content of the JWT which has the claims of the registry.
So a request from CLI carrying a token signed by the "/service/token" will have proper permissions.

Signed-off-by: Daniel Jiang <[email protected]>
reasonerjt added a commit to reasonerjt/harbor that referenced this issue Apr 3, 2020
@reasonerjt
Reenable token auth for cli
d742d0e 
Docker CLI fails if it's not logged in upon seeing "basic" realm challenging while pinging the "/v2" endpoint. (goharbor#11266)
Some CLI will send HEAD to artifact endpoint before pushing (goharbor#11188)(goharbor#11271)

To fix such problems, this commit re-introduce the token auth flow to the CLIs.

For a request to "/v2/xxx" with no "Authoirzation" header, the v2_auth middleware populates the
"Www-Authenticate" header to redirect it to token endpoint with proper
requested scope.

It also adds security context to based on the content of the JWT which has the claims of the registry.
So a request from CLI carrying a token signed by the "/service/token" will have proper permissions.

Signed-off-by: Daniel Jiang <[email protected]>
reasonerjt added a commit to reasonerjt/harbor that referenced this issue Apr 3, 2020
@reasonerjt
Reenable token auth for cli
08f9ffa 
Docker CLI fails if it's not logged in upon seeing "basic" realm challenging while pinging the "/v2" endpoint. (goharbor#11266)
Some CLI will send HEAD to artifact endpoint before pushing (goharbor#11188)(goharbor#11271)

To fix such problems, this commit re-introduce the token auth flow to the CLIs.

For a HEAD request to "/v2/xxx" with no "Authoirzation" header, the v2_auth middleware populates the
"Www-Authenticate" header to redirect it to token endpoint with proper
requested scope.

It also adds security context to based on the content of the JWT which has the claims of the registry.
So a request from CLI carrying a token signed by the "/service/token" will have proper permissions.

Signed-off-by: Daniel Jiang <[email protected]>
@reasonerjt
Copy link
Contributor

Fixed in #11406

Verified in build v2.0.0-42801b76

cafeliker pushed a commit to cafeliker/harbor that referenced this issue Jul 14, 2020
@reasonerjt @cafeliker
Reenable token auth for cli
6f209a4 
Docker CLI fails if it's not logged in upon seeing "basic" realm challenging while pinging the "/v2" endpoint. (goharbor#11266)
Some CLI will send HEAD to artifact endpoint before pushing (goharbor#11188)(goharbor#11271)

To fix such problems, this commit re-introduce the token auth flow to the CLIs.

For a HEAD request to "/v2/xxx" with no "Authoirzation" header, the v2_auth middleware populates the
"Www-Authenticate" header to redirect it to token endpoint with proper
requested scope.

It also adds security context to based on the content of the JWT which has the claims of the registry.
So a request from CLI carrying a token signed by the "/service/token" will have proper permissions.

Signed-off-by: Daniel Jiang <[email protected]>
Signed-off-by: Ye Liu <[email protected]>
@reasonerjt reasonerjt mentioned this issue Apr 21, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@reasonerjt reasonerjt

Labels
target/2.0.0
Projects
None yet
Milestone
Sprint 83
Development

No branches or pull requests
3 participants
@reasonerjt @wy65701436 @heww