Registry Token Server Enhancements

This commit enhances the registry token server with the following
- "public" is now treated as a public repo and all Docker users are
  allowed to pull from it.
- the "paused" and "acmesolver" images are treated as public images,
  where any user is allowed to pull. This is because acmesolver needs
  to be deployed in namespaces without access to the admin pull secret
- the "mtce" repo is now closed to the "mtce" user. we are treating
  this repo as "reserved for internal use". This is because we are
  going to use "mtce" as a public user. Admin accounts can still
  push to the "mtce" repo

Partial-bug: 1894930

Change-Id: I8faeaffee61a483eb8802fbae3f5d14fda226004
Signed-off-by: Jerry Sun <jerry.sun@windriver.com>
This commit is contained in:
Jerry Sun 2020-10-07 12:22:52 -04:00
parent 9aed7196fa
commit 0c7c1ac2da
2 changed files with 43 additions and 2 deletions

View File

@ -8,4 +8,4 @@ COPY_LIST=" \
$STX_BASE/downloads/gophercloud-gophercloud-aa00757ee3ab58e53520b6cb910ca0543116400a.tar.gz \ $STX_BASE/downloads/gophercloud-gophercloud-aa00757ee3ab58e53520b6cb910ca0543116400a.tar.gz \
$STX_BASE/downloads/gorilla-mux-599cba5e7b6137d46ddf58fb1765f5d928e69604.tar.gz \ $STX_BASE/downloads/gorilla-mux-599cba5e7b6137d46ddf58fb1765f5d928e69604.tar.gz \
" "
TIS_PATCH_VER=2 TIS_PATCH_VER=PKG_GITREVCOUNT

View File

@ -180,10 +180,51 @@ func filterAccessList(ctx context.Context, scope string, requestedAccessList []a
grantedAccessList := make([]auth.Access, 0, len(requestedAccessList)) grantedAccessList := make([]auth.Access, 0, len(requestedAccessList))
for _, access := range requestedAccessList { for _, access := range requestedAccessList {
if access.Type == "repository" { if access.Type == "repository" {
publicRepos := []string{"public/"}
// pause is usually used as a test deployment by kubernetes and deployed without pull secrets
// acmesolver is deployed in a namespace that don't have access to pull secrets
publicImages := []string{"k8s.gcr.io/pause",
"quay.io/jetstack/cert-manager-acmesolver"}
// this controls our own authorization rules like admin accounts and public repos/images
// if authorized through other means, skip the usual authorization policy of
// user can only interact with their own repo
skipStandardAuthz := false
// public repo allows all images too be pulled by everyone
if strings.EqualFold(access.Action, "pull") {
for _, publicRepo := range publicRepos {
if strings.HasPrefix(access.Name, publicRepo) {
skipStandardAuthz = true
}
}
}
// public images can be pulled by anyone, even though they sit in private repos
if strings.EqualFold(access.Action, "pull") {
for _, publicImage := range publicImages {
if access.Name == publicImage {
skipStandardAuthz = true
}
}
}
// filter access to repos if the user is not "admin" or "sysinv" // filter access to repos if the user is not "admin" or "sysinv"
// need to have a "/" at the end because it adds one at the beginning of the fcn // need to have a "/" at the end because it adds one at the beginning of the fcn
// probably to prevent people making accounts like "adminnot" to steal admin powers // probably to prevent people making accounts like "adminnot" to steal admin powers
if !strings.HasPrefix(access.Name, scope) && scope != "admin/" && scope != "sysinv/" { if scope == "admin/" || scope == "sysinv/" {
skipStandardAuthz = true
}
// we do not allow "mtce" to access the mtce repo because it is reserved for internal use
// we still allow the admin accounts to access the "mtce repo though
if strings.HasPrefix(access.Name, scope) && scope == "mtce/" {
dcontext.GetLogger(ctx).Debugf("Resource scope not allowed: %s", access.Name)
continue
}
if !strings.HasPrefix(access.Name, scope) && !skipStandardAuthz {
dcontext.GetLogger(ctx).Debugf("Resource scope not allowed: %s", access.Name) dcontext.GetLogger(ctx).Debugf("Resource scope not allowed: %s", access.Name)
continue continue
} }