Allow anonymous registry access

[liggitt]

Docker registry updates:

• Allows registry auth to recognize bearer tokens in addition to basic auth
• Responds to a missing Authorization header with a Bearer challenge, directing to a token handling endpoint
• Adds a token handling endpoint to the registry image at /openshift/token:
  • Issues an anonymous token (literally "anonymous") to token requests that include no Authorization header
  • Validates a basic auth password sent to a token request as an API token, then echoes it as the granted token

Policy updates:

• Adds an self-access-reviewer role (name up for grabs)
• Grants that role to all users (authenticated and unauthenticated) by default

Use:

To allow anonymous users to pull images from a particular project:

oc policy add-role-to-user registry-viewer system:anonymous -n myproject

To allow anonymous users to pull images from all projects:

oadm policy add-cluster-role-to-user registry-viewer system:anonymous

[liggitt]

[test]

[liggitt]

copying cc from #9881: @pweil- @smarterclayton @mfojtik @deads2k @liggitt @Kargakis @soltysh @miminar

[smarterclayton]

Looks reasonably not crazy

[miminar]

Seems like comma is missing before service.

[soltysh]

LGTM, but I'm wondering if that test failure is a flake or actual problem.

[liggitt]

yeah, I had a different docker client version locally, so the message output was slightly different. updated the test.

[liggitt]

conformance and integration flaked on #8571

[aweiteka]

cc @brianwcook

[aweiteka]

Grants that role to all users (authenticated and unauthenticated) by default

I'm confused why this role is granted to all users by default. I'm assuming all project images must be granted this access. Can you give an example command for how a project admin would enable unauthenticated pulls for their project?

[aweiteka]

Why not just self-access-viewer?

[liggitt]

because all the APIs that check access are *Review (SubjectAccessReview, etc)

[liggitt]

I'm confused why this role is granted to all users by default

The self-access-reviewer role simply allows users to ask the API "can I do X?". It does not grant access to images.

Registry authorization works by asking the API (as the user doing the push/pull) "can I get imagestreams/layers in namespace foo?" or "can I update imagestreams/layers in namespace foo?". For anonymous pulls/pushes to work, anonymous users must be able to check anonymous access to a particular action.

I'm assuming all project images must be granted this access. Can you give an example command for how a project admin would enable unauthenticated pulls for their project?

For a particular project:

oc policy add-role-to-user registry-viewer system:anonymous -n myproject

For all projects:

oadm policy add-cluster-role-to-user registry-viewer system:anonymous

[liggitt]

flaked six ways from Sunday, but passed all the e2e tests related to anonymous pulling/pushing. [merge]

[openshift-bot]

continuous-integration/openshift-jenkins/merge SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pr_origin/6529/) (Image: devenv-rhel7_4627)

[openshift-bot]

Evaluated for origin merge up to d179662

[openshift-bot]

Evaluated for origin test up to d179662

[openshift-bot]

continuous-integration/openshift-jenkins/test FAILURE (https://ci.openshift.redhat.com/jenkins/job/test_pr_origin/6530/)