Docker Community Forums

Share and learn in the Docker community.

Cannot get Notary token authentication to work


#1

Hello everyone,

I am struggling to get Notary token authentication to work. I’m using the latest version of the official Notary server image - “notary:server” and for authentication I have deployed the “cesanta/docker_auth:1”. Notary’s server config file looks like the following:

{
	"server": {
		"http_addr": ":5050"
	},
	"trust_service": {
		"type": "remote",
		"hostname": "signerhostname",
		"port": "5151",
		"tls_ca_file": "/cfg/root.crt",
		"key_algorithm": "ecdsa",
		"tls_client_cert": "/cfg/server.crt",
		"tls_client_key": "/cfg/server.key"
	},
	"auth": {
		"type": "token",
		"options": {
			"realm": "https://auth.service.com/auth",
			"service": "notary.test.com",
			"issuer": "auth.service.com",
			"rootcertbundle": "/cfg/auth.crt"
		}
	},
	"storage": {
		"backend": "mysql",
		"db_url": "server@tcp(mysql:3306)/serverhostname?parseTime=True"
	},
	"logging": {
		"level": "debug"
	}
}

And docker_auth config looks like this:

# Server settings
server:
  addr: ":5252"

# Token settings
token:
  issuer: "auth.service.com"
  expiration: 300
  certificate: "/cfg/auth.pem"
  key: "/cfg/authkey.pem"

# Authentication method
users:
  "admin":
    password: "$2y$05$LO.vzwpWC5LZGqThvEfdsereewqlpkooxzjkljUadnkjhfo0imlkmsd"

# Authorization method
acl:
  - match: {account: "admin"}
    actions: ["*"]
    comment: "Admin has full access to everything."

All certificates are issued by a self signed CA and added as trusted on both machines as well as on the docker client machine thats being used for all the tests.

Notary is working fine when I remove the authentication section from server’s config file.

If I hit https://auth.service.com/auth in a browser I get a login prompt where I can enter my credentials and end up with successfully generated token. This leads me to believe that everything should be OK with docker_auth’s config.

When I enable docker content trust, set the “NOTARY_AUTH” env variable with “export NOTARY_AUTH=$(echo “admin:adminpassword” | base64)” and try to do docker push/pull or a simple notary list command it fails with “* fatal: unauthorized: authentication required”. That’s the only message that I get even in DEBUG. In Notary’s server log I get:

{"go.version":"go1.10.5","http.request.host":"notary.test.com","http.request.id":"92e77c60-5e08-4288-9c4e-d0f21bf78356","http.request.method":"GET","http.request.remoteaddr":"xxx.xx.xx.xx","http.request.uri":"/v2/","http.request.useragent":"Go-http-client/1.1","http.response.contenttype":"application/json; charset=utf-8","http.response.duration":"147.289µs","http.response.status":401,"http.response.written":145,"level":"info","msg":"response completed","time":"2019-01-02T12:48:43Z"}
{"go.version":"go1.10.5","http.request.host":"notary.test.com","http.request.id":"386e4e99-1441-4954-ad9e-80e3a6fa2489","http.request.method":"GET","http.request.remoteaddr":"xxx.xx.xx.xx","http.request.uri":"/v2/","http.request.useragent":"Go-http-client/1.1","http.response.contenttype":"application/json; charset=utf-8","http.response.duration":"310.881µs","http.response.status":401,"http.response.written":145,"level":"info","msg":"response completed","time":"2019-01-02T12:48:51Z"}

Any idea whats causing this? Looking at the configuration above is everything set up correctly or I have missed something?
Another question would be if “cesanta/docker_auth:1” is OK to use with Notary or there is another one that is preferred?

Thank you in advance!