17d1338af1
This change introduces OpenID authn by using providers such as Github, Gitlab, Google and Dex. User sessions are now used for web clients to identify and persist an authenticated users session, thus not requiring every request to use credentials. Another change is apikey feature, users can create/revoke their api keys and use them to authenticate when using cli clients such as skopeo. eg: login: /auth/login?provider=github /auth/login?provider=gitlab and so on logout: /auth/logout redirectURL: /auth/callback/github /auth/callback/gitlab and so on If network policy doesn't allow inbound connections, this callback wont work! for more info read documentation added in this commit. Signed-off-by: Alex Stan <alexandrustan96@yahoo.ro> Signed-off-by: Petu Eusebiu <peusebiu@cisco.com> Co-authored-by: Alex Stan <alexandrustan96@yahoo.ro>
2.9 KiB
mgmt
mgmt component provides an endpoint for configuration management
Response depends on the user privileges:
- unauthenticated and authenticated users will get a stripped config
- admins will get full configuration with passwords hidden (not implemented yet)
| Supported queries | Input | Output | Description |
|---|---|---|---|
| Get current configuration | None | config json | Get current zot configuration |
| Upload a certificate | certificate | None | Add certificate for verifying notation signatures |
| Upload a public key | public key | None | Add public key for verifying cosign signatures |
General usage
The mgmt endpoint accepts as a query parameter what resource is targeted by the request and then all other required parameters for the specified resource. The default value of this
query parameter is config.
Get current configuration
Sample request
curl http://localhost:8080/v2/_zot/ext/mgmt | jq
Sample response
{
"distSpecVersion": "1.1.0-dev",
"binaryType": "-sync-search-scrub-metrics-lint-ui-mgmt",
"http": {
"auth": {
"htpasswd": {},
"bearer": {
"realm": "https://auth.myreg.io/auth/token",
"service": "myauth"
}
}
}
}
If ldap or htpasswd are enabled mgmt will return {"htpasswd": {}} indicating that clients can authenticate with basic auth credentials.
If any key is present under 'auth' key, in the mgmt response, it means that particular authentication method is enabled.
Configure zot for verifying signatures
If the resource is signatures then the mgmt endpoint accepts as a query parameter the tool that corresponds to the uploaded file and then all other required parameters for the specified tool.
Upload a certificate
Sample request
| Tool | Parameter | Parameter Type | Parameter Description |
|---|---|---|---|
| notation | truststoreType | string | The type of the truststore. This parameter is optional and its default value is ca |
| truststoreName | string | The name of the truststore |
curl --data-binary @certificate.crt -X POST http://localhost:8080/v2/_zot/ext/mgmt?resource=signature&tool=notation&truststoreType=ca&truststoreName=newtruststore
As a result of this request, the uploaded file will be stored in _notation/truststore/x509/{truststoreType}/{truststoreName} directory under $rootDir. And truststores field from _notation/trustpolicy.json file will be updated.
Upload a public key
Sample request
| Tool | Parameter | Parameter Type | Parameter Description |
|---|---|---|---|
| cosign |
curl --data-binary @publicKey.pub -X POST http://localhost:8080/v2/_zot/ext/mgmt?resource=signature&tool=cosign
As a result of this request, the uploaded file will be stored in _cosign directory under $rootDir.