github/zot
1
0
Fork 0
mirror of https://github.com/project-zot/zot.git synced 2026-06-16 04:17:55 +08:00
Code Issues Packages Projects Releases Wiki Activity

feat: integrate openID auth logic and user profile management (#1381)

Browse Source 
This change introduces OpenID authn by using providers such as Github,
Gitlab, Google and Dex.
User sessions are now used for web clients to identify
and persist an authenticated users session, thus not requiring every request to
use credentials.
Another change is apikey feature, users can create/revoke their api keys and use them
to authenticate when using cli clients such as skopeo.

eg:
login:
/auth/login?provider=github
/auth/login?provider=gitlab
and so on

logout:
/auth/logout

redirectURL:
/auth/callback/github
/auth/callback/gitlab
and so on

If network policy doesn't allow inbound connections, this callback wont work!

for more info read documentation added in this commit.

Signed-off-by: Alex Stan <alexandrustan96@yahoo.ro>
Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
Co-authored-by: Alex Stan <alexandrustan96@yahoo.ro>
This commit is contained in:
peusebiu
2023-07-07 19:27:10 +03:00
committed by GitHub
parent 5494a1b8d6
commit 17d1338af1
51 changed files with 5467 additions and 624 deletions
Download Patch File Download Diff File Expand all files Collapse all files
examples/README.md
+121 -7
View File
@@ -18,13 +18,20 @@ Examples of working configurations for various use cases are available [here](..
# Configuration Parameters
* [Network](#network)
* [Storage](#storage)
* [Authentication](#authentication)
* [Identity-based Authorization](#identity-based-authorization)
* [Logging](#logging)
* [Metrics](#metrics)
* [Sync](#sync)
- [Configuration Parameters](#configuration-parameters)
- [Network](#network)
- [Storage](#storage)
- [Authentication](#authentication)
- [TLS Mutual Authentication](#tls-mutual-authentication)
- [Passphrase Authentication](#passphrase-authentication)
- [Authentication Failures](#authentication-failures)
- [API keys](#api-keys)
- [Identity-based Authorization](#identity-based-authorization)
- [Logging](#logging)
- [Metrics](#metrics)
- [Storage Drivers](#storage-drivers)
- [Specifying S3 credentials](#specifying-s3-credentials)
- [Sync](#sync)
## Network
@@ -162,6 +169,98 @@ NOTE: When both htpasswd and LDAP configuration are specified, LDAP authenticati
}
```
### OpenID/OAuth2 social login
zot supports several openID/OAuth2 providers:
- google
- github
- gitlab
- dex
zot can be configured to use the above providers with:
```
{
"http": {
"auth": {
"openid": {
"providers": {
"github": {
"clientid": <client_id>,
"clientsecret": <client_secret>,
"scopes": ["read:org", "user", "repo"]
},
"google": {
"issuer": "https://accounts.google.com",
"clientid": <client_id>,
"clientsecret": <client_secret>,
"scopes": ["openid", "email"]
},
"gitlab": {
"issuer": "https://gitlab.com",
"clientid": <client_id>,
"clientsecret": <client_secret>,
"scopes": ["openid", "read_api", "read_user", "profile", "email"]
}
}
}
}
}
```
the login with either provider use http://127.0.0.1:8080/auth/login?provider=\<provider\>&callback_ui=http://127.0.0.1:8080/home
for example to login with github use http://127.0.0.1:8080/auth/login?provider=github&callback_ui=http://127.0.0.1:8080/home
callback_ui query parameter is used by zot to redirect to UI after a successful openid/oauth2 authentication
the callback url which should be used when making oauth2 provider setup is http://127.0.0.1:8080/auth/callback/\<provider\>
for example github callback url would be http://127.0.0.1:8080/auth/callback/github
If network policy doesn't allow inbound connections, this callback wont work!
dex is an identity service that uses OpenID Connect to drive authentication for other apps https://github.com/dexidp/dex
To setup dex service see https://dexidp.io/docs/getting-started/
to configure zot as a client in dex (assuming zot is hosted at 127.0.0.1:8080), we need to configure dex with:
```
staticClients:
- id: zot-client
redirectURIs:
- 'http://127.0.0.1:8080/auth/callback/dex'
name: 'zot'
secret: ZXhhbXBsZS1hcHAtc2VjcmV0
```
zot can be configured to use dex with:
```
"http": {
"auth": {
"openid": {
"providers": {
"dex": {
"clientid": "zot-client",
"clientsecret": "ZXhhbXBsZS1hcHAtc2VjcmV0",
"keypath": "",
"issuer": "http://127.0.0.1:5556/dex",
"scopes": ["openid", "profile", "email", "groups"]
}
}
}
}
}
```
to login using openid dex provider use http://127.0.0.1:8080/auth/login?provider=dex
### Session based login
Whenever a user logs in zot using any of the auth options available(basic auth/openid) zot will set a 'session' cookie on its response.
Using that cookie on subsequent calls will authenticate them, asumming the cookie didn't expire.
In case of using filesystem storage sessions are saved in zot's root directory.
In case of using cloud storage sessions are saved in memory.
#### Authentication Failures
Should authentication fail, to prevent automated attacks, a delayed response can be configured with:
@@ -172,6 +271,21 @@ Should authentication fail, to prevent automated attacks, a delayed response can
"failDelay": 5
```
#### API keys
zot allows authentication for REST API calls using your API key as an alternative to your password.
for more info see [API keys doc](../pkg/extensions/README_apikey.md)
To activate API keys use:
```
"extensions": {
"apikey": {
"enable": true
}
}
```
## Identity-based Authorization
Allowing actions on one or more repository paths can be tied to user
examples/config-metricsbug.json
+121
View File
@@ -0,0 +1,121 @@
{
"distSpecVersion": "1.1.0-dev",
"extensions": {
"metrics": {
"enable": true,
"prometheus": {
"path": "/metrics"
}
},
"mgmt": {
"enable": true
},
"scrub": {
"enable": true,
"interval": "24h"
},
"search": {
"cve": {
"updateInterval": "2h"
},
"enable": true
},
"sync": {
"enable": true,
"registries": [
{
"content": [
{
"destination": "/docker.io",
"prefix": "**"
}
],
"onDemand": true,
"tlsVerify": true,
"urls": [
"https://docker.io/library"
]
},
{
"content": [
{
"destination": "/registry.gitlab.com",
"prefix": "**"
}
],
"onDemand": true,
"tlsVerify": true,
"urls": [
"https://registry.gitlab.com"
]
},
{
"content": [
{
"destination": "ghcr.io",
"prefix": "**"
}
],
"onDemand": true,
"tlsVerify": true,
"urls": [
"https://ghcr.io"
]
},
{
"content": [
{
"destination": "/quay.io",
"prefix": "**"
}
],
"onDemand": true,
"tlsVerify": true,
"urls": [
"https://quay.io"
]
},
{
"content": [
{
"destination": "/gcr.io",
"prefix": "**"
}
],
"onDemand": true,
"tlsVerify": true,
"urls": [
"https://gcr.io"
]
},
{
"content": [
{
"destination": "/registry.k8s.io",
"prefix": "**"
}
],
"onDemand": true,
"tlsVerify": true,
"urls": [
"https://registry.k8s.io"
]
}
]
},
"ui": {
"enable": true
}
},
"http": {
"address": "0.0.0.0",
"port": "5000"
},
"log": {
"level": "debug"
},
"storage": {
"gc": true,
"rootDirectory": "/tmp/zot"
}
}
examples/config-openid.json
+75
View File
@@ -0,0 +1,75 @@
{
"distSpecVersion": "1.1.0-dev",
"storage": {
"rootDirectory": "/tmp/zot",
"dedupe": true
},
"http": {
"address": "127.0.0.1",
"port": "8080",
"realm": "zot",
"auth": {
"htpasswd": {
"path": "test/data/htpasswd"
},
"openid": {
"providers": {
"github": {
"clientid": "client_id",
"clientsecret": "client_secret",
"keypath": "",
"scopes": ["read:org", "user", "repo"]
},
"google": {
"issuer": "https://accounts.google.com",
"clientid": "client_id",
"clientsecret": "client_secret",
"scopes": ["openid", "email"]
},
"gitlab": {
"issuer": "https://gitlab.com",
"clientid": "client_id",
"clientsecret": "client_secret",
"scopes": ["openid", "read_api", "read_user", "profile", "email"]
},
"dex": {
"issuer": "http://127.0.0.1:5556/dex",
"clientid": "client_id",
"clientsecret": "client_secret",
"scopes": ["openid", "user", "email", "groups"]
}
}
},
"failDelay": 5
},
"accessControl": {
"repositories": {
"**": {
"policies": [
{
"users": [
"test"
],
"actions": [
"read",
"create"
]
}
],
"defaultPolicy": ["read"]
}
}
}
},
"log": {
"level": "debug"
},
"extensions": {
"apikey": {
"enable": true
},
"mgmt": {
"enable": true
}
}
}