Giter VIP home page Giter VIP logo

registry-oauth-server's Introduction

registry-oauth-server

This is a forked version of OpenDNS's registry-oauth-server. View the upstream README for configuration defaults.

The purpose of this fork is to authenticate and authorize Docker registry users with Conjur.

Project registry-ansible deploys this to AWS.

Quickstart

This assumes you have Docker running and available.

Start the registry and oauth_server containers:

$ ./build.sh

After installation is finished, you should have a local registry running on :5000, and a local oauth server running on :8080.

Policy

The example policy.yml defines:

  • A host that represents the Docker registry (registry)
  • A group of users that can push to registry (pushers)
  • A group of users that can pull from registry (pullers)

Roles that are allowed to push to the registry have push privilege on the registry host, pullers have pull privilege.

Configuration

Configuration is applied by passing environment variables to the OAuth container:

  • CONJUR_CERT_FILE: Path to Conjur public SSL cert (should be mounted into container)
  • CONJUR_APPLIANCE_URL: Conjur endpoint
  • CONJUR_ACCOUNT: Conjur account, specified during initial configuration
  • CONJUR_REGISTRY_HOST_NAME: Name of the host representing the registry
  • CONJUR_REGISTRY_HOST_API_KEY: API key of the registry host

authn

By default, the oauth server is configured to talk to conjurops: the public SSL cert is checked into the certs directory and CONJUR_URL specifies the Conjur endpoint in docker-compose.yml. Log into the registry using your Conjur username and password:

$ docker login localhost:5000
Username: dustin
Password: <REDACTED>
Login Succeeded

The function check_auth in auth.py calls out to Conjur to verify the user.

authz

Authorization is performed by checking privilege on the registry host, either push or pull. Privilege is checked in real-time, when the request is recieved.

More granular permission checking can be implemented by modifying the function get_allowed_actions in app.py. type is the type of action, most commonly 'repository'. name is the name of the repository.

Note that roles must have pull and push privilege to push images to the registry. This is required because Docker makes a pull request (to check if image already exists) before pushing images.

OAuth spec details here: https://docs.docker.com/registry/spec/auth/token/

TODO:

  • Add a webservice to the policy to represent the registry

registry-oauth-server's People

Contributors

dustinmm80 avatar kgilpin avatar

Watchers

avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.