Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Potential issue with path-specific authentication keys in Docker config.json #1597

Open
1 task
TommsNL opened this issue Dec 20, 2024 · 6 comments
Open
1 task

Potential issue with path-specific authentication keys in Docker config.json #1597

TommsNL opened this issue Dec 20, 2024 · 6 comments
Labels
enhancement New feature or request

Comments

@TommsNL
Copy link

TommsNL commented Dec 20, 2024
edited
Loading

What happened in your environment?

When using a config.json file with path-specific keys in the auths section (e.g., subdomain.harbor.com/team-a), ORAS does not appear to use these specific keys for authentication. Instead, it defaults to using the general host key (e.g., subdomain.harbor.com), even if a more specific key exists.

This issue creates challenges when managing registries with different authentication scopes for specific paths.

Example:

Given the following config.json:

{
    "auths": {
        "subdomain.harbor.com/team-a": {
            "auth": "BASE64_ENCODED_CREDS_TEAM_A"
        },
        "subdomain.harbor.com": {
            "auth": "BASE64_ENCODED_GENERAL_CREDS"
        }
    }
}

When running:

oras push --artifact-type application/x-gzip subdomain.harbor.com/team-a/artifact:1.0.0 artifact.tar.gz

ORAS appears to use the credentials for subdomain.harbor.com instead of subdomain.harbor.com/team-a.

I tested this behavior by setting up multiple credentials in the auths section with path-specific keys.

What did you expect to happen?

I expected ORAS to:

  1. Look for an exact match of the registry key, including paths (e.g., subdomain.harbor.com/team-a).
  2. Use the path-specific credentials if a match is found.
  3. Fallback to the general host key (subdomain.harbor.com) only if no exact match exists.

This behavior aligns with Docker's implementation for config.json files and is essential for managing credentials with path-specific scopes.

How can we reproduce it?

Scenario 1: Path-specific key only

  1. Create a config.json file with the following structure:
{
    "auths": {
        "subdomain.harbor.com/team-a": {
            "auth": "BASE64_ENCODED_CREDS_TEAM_A"
        }
    }
}
  1. Attempt to perform an oras push to subdomain.harbor.com/team-a
  2. Expected behavior: ORAS should use the path-specific credentials for subdomain.harbor.com/team-a and successfully push the artifact.
  3. Observed behavior: ORAS returns a 401 Unauthorized error, indicating that it failed to pick up the path-specific credentials.

Scenario 2: General host key only

  1. Create a config.json file with only the general host key:
{
    "auths": {
        "subdomain.harbor.com": {
            "auth": "BASE64_ENCODED_CREDS_TEAM_A"
        }
    }
}
  1. Attempt to perform an oras push to subdomain.harbor.com/team-a
  2. Expected behavior: ORAS should fallback to the general host key and successfully push the artifact.
  3. Observed behavior: ORAS successfully pushes the artifact, confirming that it uses the general host key.

By testing both scenarios, we can verify whether ORAS properly distinguishes between general and path-specific keys in the auths section of config.json. This distinction is critical for managing credentials in environments with path-specific scopes.

What registry are we using?

Harbor (https://goharbor.io/)

What is the version of your ORAS CLI?

Oras Version: 1.2.0

What is your OS environment?

Red Hat Universal Base Image 8 (So based on RHEL 8)

Are you willing to submit PRs to fix it?

  • Yes, I am willing to fix it.
@TommsNL TommsNL added bug Something isn't working triage New issues or PRs to be acknowledged by maintainers labels Dec 20, 2024
@Wwwsylvia
Copy link
Member

Hi @TommsNL , this is a known limitation and the repository-level auth is currently not supported. We are tracking the feature request on the backing library repo: oras-project/oras-go#840

@TommsNL
Copy link
Author

TommsNL commented Dec 20, 2024

Hi @TommsNL , this is a known limitation and the repository-level auth is currently not supported. We are tracking the feature request on the backing library repo: oras-project/oras-go#840

Thanks for the reply @Wwwsylvia i'll be tracking oras-project/oras-go#840 then

@TerryHowe
Copy link
Member

I thought Harbor called them namespaces

@shizhMSFT shizhMSFT added enhancement New feature or request and removed bug Something isn't working triage New issues or PRs to be acknowledged by maintainers labels Dec 30, 2024
@FeynmanZhou
Copy link
Member

Support retrieve and authenticate with path-specific authentication keys in config.json sounds like a valid feature request to me.

@github-actions GitHub Actions
Copy link

github-actions bot commented Mar 9, 2025

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 30 days.

@github-actions github-actions bot added the stale Inactive issues or pull requests label Mar 9, 2025
@TerryHowe
Copy link
Member

This might be covered by the registries.conf feature that was talked about. I still haven't read the spec though.

@github-actions github-actions bot removed the stale Inactive issues or pull requests label Mar 10, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@TerryHowe @TommsNL @Wwwsylvia @shizhMSFT @FeynmanZhou