User can get only blobs he's able to see #9819
Conversation
|
Quick&dirty. I'll polish tomorrow. [test] |
miminar
force-pushed
the
remote-layer-federation
branch
2 times, most recently
from
31602ff to
cf0b321
Compare
miminar
changed the title
| @@ -463,6 +463,8 @@ func ImageWithMetadata(image *Image) error { | |||
| return nil | |||
| } | |||
|
|
|||
| image.DockerImageManifestMediaType = schema1.MediaTypeManifest | |||
There was a problem hiding this comment.
We'll need the migrator in order to make this work then? How will a user upgrading get the correct behavior? Or is this just extra data we forgot?
There was a problem hiding this comment.
It should be already set for all the schema2 manifests. It's set by the registry on a push and by importer on import. All the code using this field is written with this in mind (empty value is considered as schema v1).
miminar
force-pushed
the
remote-layer-federation
branch
from
cf0b321 to
66991bf
Compare
| os::cmd::expect_success "oc tag --source docker centos/ruby-22-centos7:latest -n custom ruby-22-centos7:latest" | ||
| os::cmd::expect_success 'oc policy add-role-to-user registry-viewer pusher -n custom' | ||
|
|
||
| os::cmd::expect_success_and_text "curl -I -X HEAD -u 'pusher:${pusher_token}' '${DOCKER_REGISTRY}/v2/crossmount/repo/blobs/$rubyimageblob'" "404 Not Found" |
There was a problem hiding this comment.
Can you do a test of cross mount of a pull through image? If it's currently broken due to the lookup problem that's ok, I just want a test either way.
There was a problem hiding this comment.
Can you do a test of cross mount of a pull through image? If it's currently broken due to the lookup problem that's ok, I just want a test either way.
See the last curl. I'll add a pullthrough comment so it's obvious.
miminar
force-pushed
the
remote-layer-federation
branch
3 times, most recently
from
614f3bb to
1bb6fba
Compare
| return false | ||
| } | ||
|
|
||
| if managed := image.Annotations[imageapi.ManagedByOpenShiftAnnotation]; requireManaged && managed != "true" { |
There was a problem hiding this comment.
If you've tagged in an image successfully, you've proved you have access to it. All this case guards against is pullthrough (for now). Can you add a comment describing why this is needed?
miminar
force-pushed
the
remote-layer-federation
branch
3 times, most recently
from
67e7975 to
29c2108
Compare
| isCrossMount, err := checkPendingCrossMountErrors(ctx, opts) | ||
| if isCrossMount { | ||
| if err != nil { | ||
| context.GetLogger(ctx).Infof("disabling cross-repo mount because o error: %v", err) |
|
Why we want to carry a patch to distribution? Have we tried upstreaming the fix? |
| os::cmd::expect_success_and_text "curl -I -X HEAD -u 'pusher:${pusher_token}' '${DOCKER_REGISTRY}/v2/crossmount/repo/blobs/$rubyimageblob'" "404 Not Found" | ||
| os::cmd::expect_success_and_text "curl -I -X HEAD -u 'pusher:${pusher_token}' '${DOCKER_REGISTRY}/v2/cache/ruby-22-centos7/blobs/$rubyimageblob'" "200 OK" | ||
| # 202 means that cross-repo mount has failed (in this case because of blob doesn't exist in the source repository), client needs to reupload the blob | ||
| os::cmd::expect_success_and_text "curl -I -X POST -u 'pusher:${pusher_token}' '${DOCKER_REGISTRY}/v2/crossmount/repo/blobs/uploads/?mount=$rubyimageblob&from=cache/hello-world'" "202 Accepted" |
There was a problem hiding this comment.
Add negative tests that verify a user who doesn't have access gets an explicit error on push (when nothing is mounted). Also that they can't access the blob directly, and that users don't have access to the blobs. Tests probably need to be both here and in the unit tests.
There was a problem hiding this comment.
Tests probably need to be both here and in the unit tests.
Auth unit tests seem sufficient to me. Additional negative tests have been just added by @liggitt's d179662#diff-4ea7c8f0aaeae849c3760842d6b42c60R194
There was a problem hiding this comment.
I don't think they cover it, we need blob tests for authenticated users,
and users with similar / overlapping namespace permissions. We also need
to explicitly call out the cached permissions behavior with a test.
On Wed, Jul 20, 2016 at 8:31 AM, Michal Minar [email protected]
wrote:
In test/end-to-end/core.sh
#9819 (comment):echo "[INFO] Back to 'default' project with 'admin' user..."
os::cmd::expect_success "oc project ${CLUSTER_ADMIN_CONTEXT}"
os::cmd::expect_success_and_text 'oc whoami' 'system:admin'
+os::cmd::expect_success "oc tag --source docker centos/ruby-22-centos7:latest -n custom ruby-22-centos7:latest"
+os::cmd::expect_success 'oc policy add-role-to-user registry-viewer pusher -n custom'
+
+os::cmd::expect_success_and_text "curl -I -X HEAD -u 'pusher:${pusher_token}' '${DOCKER_REGISTRY}/v2/crossmount/repo/blobs/$rubyimageblob'" "404 Not Found"
+os::cmd::expect_success_and_text "curl -I -X HEAD -u 'pusher:${pusher_token}' '${DOCKER_REGISTRY}/v2/cache/ruby-22-centos7/blobs/$rubyimageblob'" "200 OK"
+# 202 means that cross-repo mount has failed (in this case because of blob doesn't exist in the source repository), client needs to reupload the blob
+os::cmd::expect_success_and_text "curl -I -X POST -u 'pusher:${pusher_token}' '${DOCKER_REGISTRY}/v2/crossmount/repo/blobs/uploads/?mount=$rubyimageblob&from=cache/hello-world'" "202 Accepted"Tests probably need to be both here and in the unit tests.
Auth unit tests
https://github.com/openshift/origin/blob/master/pkg/dockerregistry/server/auth_test.go
seem sufficient to me. Additional negative tests have been just added by
@liggitt https://github.com/liggitt's d179662
#diff-4ea7c8f0aaeae849c3760842d6b42c60R194
d179662#diff-4ea7c8f0aaeae849c3760842d6b42c60R194—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/openshift/origin/pull/9819/files/1742dd1c7e2f56e7e52207e5c024ed830ea84fca..29c2108e28e979ea31cba31a000179b8c1073bd5#r71515054,
or mute the thread
https://github.com/notifications/unsubscribe-auth/ABG_p2Dy62mVK6zrq3BOM54Vd-LWd_0_ks5qXhUIgaJpZM4JLnQb
.
There was a problem hiding this comment.
we need blob tests for authenticated users, and users with similar / overlapping namespace permissions.
I'm not sure what is needed here. Is a scenario where:
- bob creates a namespace N and tags image there, he can pull and push
- alice cannot pull, nor push to N
- admin gives alice an admin role in N, she can pull and push there
- admin gives joe a view role in N, he can only pull
- admin gives joe an edit role as will, he can now pull and push
Enough? Or do you have something more complex in mind?
We also need to explicitly call out the cached permissions behavior with a test.
The cache part is problematic or rather broken. Our cache evicts with configured timeout. Upstream inmemory cache, however, does not. So when a stat on a blob X in a repository R happens after a manual untag of an image containing it:
- our
blobDescriptorServicefinds out that the X<->R association is too old and removes it - it passes the request down to
cachedBlobStatterthat finds the association and succeeds
With the manual untag, the blob won't ever be cleared from the cachedBlobStatter until registry's restart.
During the image pruning, the blob will be cleared thoroughly both from the cache and the storage.
I can add a test case for the pruning case. The former case is unfortunately broken unless we disable or implement our own replacement for inmemory cache or until we store the links in etcd.
miminar
force-pushed
the
remote-layer-federation
branch
3 times, most recently
from
5efda24 to
82fc7c9
Compare
| // ForgetDigest removes an association between given digest and repository from the cache. | ||
| func (c digestToRepositoryCache) ForgetDigest(dgst digest.Digest, repo string) { | ||
| key := dgst.String() | ||
| value, ok := c.Get(key) |
There was a problem hiding this comment.
not sure we want to bump to the front of the LRU cache when removing a repo... maybe use Peek() instead?
There was a problem hiding this comment.
not sure we want to bump to the front of the LRU cache when removing a repo... maybe use Peek() instead?
Good catch. Fixed.
|
nits on digestcache, can address in a follow-up if you want, LGTM |
miminar
force-pushed
the
remote-layer-federation
branch
from
82fc7c9 to
b8326dc
Compare
Thanks a lot! It's totally different PR now with your suggestions applied. But each one made it a lot better. |
miminar
force-pushed
the
remote-layer-federation
branch
from
b8326dc to
25f06a6
Compare
For security reasons, evict stale pairs of (blob, repository) from cache. So when an image is untagged from image stream, registry will deny access to its blobs. Also fixed a bug in digestcache where the first association for particular digest was lost and once. Signed-off-by: Michal Minář <[email protected]>
Turned blob repository ttl into a config option. Also allowed for overrides using env var REGISTRY_MIDDLEWARE_REPOSITORY_OPENSHIFT_BLOBREPOSITORYCACHETTL. Signed-off-by: Michal Minar <[email protected]>
Use much smaller image for pulls. Also Deal with multiple image candidates for deletion. Signed-off-by: Michal Minář <[email protected]>
Signed-off-by: Michal Minář <[email protected]>
Signed-off-by: Michal Minář <[email protected]>
Signed-off-by: Michal Minář <[email protected]>
miminar
force-pushed
the
remote-layer-federation
branch
from
25f06a6 to
db956d8
Compare
|
Flake #10008 |
|
Evaluated for origin test up to db956d8 |
|
continuous-integration/openshift-jenkins/test SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pr_origin/7543/) |
|
[merge] |
|
continuous-integration/openshift-jenkins/merge SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pr_origin/7543/) (Image: devenv-rhel7_4779) |
|
[merge] #9938 |
|
Evaluated for origin merge up to db956d8 |
Closes #9755, closes #6841
This PR fixes several issues:
The 1st issue is addressed by replacing regular layer link Stat call done in our blobDescriptorService with a fall-back to image stream images in etcd. The blob must exist either locally or remotely if a remote image is tagged in the image stream. If it's tagged locally, the blob<->repository cache will be checked before the etcd query.
It's blobDescriptorService is nearly a lowest possible level where we can intercept Stat calls on local blobs. Unfortunately blob descriptor service doesn't know, which repository is being accessed without being told via context. That's why upper layers need to set repository on the context for every method that may invoke Stat or Clear on a local layer link.
The fix for 2nd issue is applies only to local repositories. Mounting from remotes needs to be addressed specifically. There's a follow-up #10120.