mirror of
https://github.com/project-zot/zot.git
synced 2025-01-13 22:50:38 -05:00
17d1338af1
This change introduces OpenID authn by using providers such as Github, Gitlab, Google and Dex. User sessions are now used for web clients to identify and persist an authenticated users session, thus not requiring every request to use credentials. Another change is apikey feature, users can create/revoke their api keys and use them to authenticate when using cli clients such as skopeo. eg: login: /auth/login?provider=github /auth/login?provider=gitlab and so on logout: /auth/logout redirectURL: /auth/callback/github /auth/callback/gitlab and so on If network policy doesn't allow inbound connections, this callback wont work! for more info read documentation added in this commit. Signed-off-by: Alex Stan <alexandrustan96@yahoo.ro> Signed-off-by: Petu Eusebiu <peusebiu@cisco.com> Co-authored-by: Alex Stan <alexandrustan96@yahoo.ro>
80 lines
2.9 KiB
Markdown
80 lines
2.9 KiB
Markdown
# `mgmt`
|
|
|
|
`mgmt` component provides an endpoint for configuration management
|
|
|
|
Response depends on the user privileges:
|
|
- unauthenticated and authenticated users will get a stripped config
|
|
- admins will get full configuration with passwords hidden (not implemented yet)
|
|
|
|
|
|
| Supported queries | Input | Output | Description |
|
|
| --- | --- | --- | --- |
|
|
| [Get current configuration](#get-current-configuration) | None | config json | Get current zot configuration |
|
|
| [Upload a certificate](#post-certificate) | certificate | None | Add certificate for verifying notation signatures|
|
|
| [Upload a public key](#post-public-key) | public key | None | Add public key for verifying cosign signatures |
|
|
|
|
## General usage
|
|
The mgmt endpoint accepts as a query parameter what `resource` is targeted by the request and then all other required parameters for the specified resource. The default value of this
|
|
query parameter is `config`.
|
|
|
|
## Get current configuration
|
|
|
|
**Sample request**
|
|
|
|
```bash
|
|
curl http://localhost:8080/v2/_zot/ext/mgmt | jq
|
|
```
|
|
|
|
**Sample response**
|
|
|
|
```json
|
|
{
|
|
"distSpecVersion": "1.1.0-dev",
|
|
"binaryType": "-sync-search-scrub-metrics-lint-ui-mgmt",
|
|
"http": {
|
|
"auth": {
|
|
"htpasswd": {},
|
|
"bearer": {
|
|
"realm": "https://auth.myreg.io/auth/token",
|
|
"service": "myauth"
|
|
}
|
|
}
|
|
}
|
|
}
|
|
```
|
|
|
|
If ldap or htpasswd are enabled mgmt will return `{"htpasswd": {}}` indicating that clients can authenticate with basic auth credentials.
|
|
|
|
If any key is present under `'auth'` key, in the mgmt response, it means that particular authentication method is enabled.
|
|
|
|
## Configure zot for verifying signatures
|
|
If the `resource` is `signatures` then the mgmt endpoint accepts as a query parameter the `tool` that corresponds to the uploaded file and then all other required parameters for the specified tool.
|
|
|
|
### Upload a certificate
|
|
|
|
**Sample request**
|
|
|
|
| Tool | Parameter | Parameter Type | Parameter Description |
|
|
| --- | --- | --- | --- |
|
|
| notation | truststoreType | string | The type of the truststore. This parameter is optional and its default value is `ca` |
|
|
| | truststoreName | string | The name of the truststore |
|
|
|
|
```bash
|
|
curl --data-binary @certificate.crt -X POST http://localhost:8080/v2/_zot/ext/mgmt?resource=signature&tool=notation&truststoreType=ca&truststoreName=newtruststore
|
|
```
|
|
As a result of this request, the uploaded file will be stored in `_notation/truststore/x509/{truststoreType}/{truststoreName}` directory under $rootDir. And `truststores` field from `_notation/trustpolicy.json` file will be updated.
|
|
|
|
### Upload a public key
|
|
|
|
**Sample request**
|
|
|
|
| Tool | Parameter | Parameter Type | Parameter Description |
|
|
| --- | --- | --- | --- |
|
|
| cosign |
|
|
|
|
|
|
```bash
|
|
curl --data-binary @publicKey.pub -X POST http://localhost:8080/v2/_zot/ext/mgmt?resource=signature&tool=cosign
|
|
```
|
|
|
|
As a result of this request, the uploaded file will be stored in `_cosign` directory under $rootDir.
|