Hello everyone,
I am struggling to get Notary token authentication to work. I’m using the latest version of the official Notary server image - “notary:server” and for authentication I have deployed the “cesanta/docker_auth:1”. Notary’s server config file looks like the following:
{
"server": {
"http_addr": ":5050"
},
"trust_service": {
"type": "remote",
"hostname": "signerhostname",
"port": "5151",
"tls_ca_file": "/cfg/root.crt",
"key_algorithm": "ecdsa",
"tls_client_cert": "/cfg/server.crt",
"tls_client_key": "/cfg/server.key"
},
"auth": {
"type": "token",
"options": {
"realm": "https://auth.service.com/auth",
"service": "notary.test.com",
"issuer": "auth.service.com",
"rootcertbundle": "/cfg/auth.crt"
}
},
"storage": {
"backend": "mysql",
"db_url": "server@tcp(mysql:3306)/serverhostname?parseTime=True"
},
"logging": {
"level": "debug"
}
}
And docker_auth config looks like this:
# Server settings
server:
addr: ":5252"
# Token settings
token:
issuer: "auth.service.com"
expiration: 300
certificate: "/cfg/auth.pem"
key: "/cfg/authkey.pem"
# Authentication method
users:
"admin":
password: "$2y$05$LO.vzwpWC5LZGqThvEfdsereewqlpkooxzjkljUadnkjhfo0imlkmsd"
# Authorization method
acl:
- match: {account: "admin"}
actions: ["*"]
comment: "Admin has full access to everything."
All certificates are issued by a self signed CA and added as trusted on both machines as well as on the docker client machine thats being used for all the tests.
Notary is working fine when I remove the authentication section from server’s config file.
If I hit https://auth.service.com/auth in a browser I get a login prompt where I can enter my credentials and end up with successfully generated token. This leads me to believe that everything should be OK with docker_auth’s config.
When I enable docker content trust, set the “NOTARY_AUTH” env variable with “export NOTARY_AUTH=$(echo “admin:adminpassword” | base64)” and try to do docker push/pull or a simple notary list command it fails with “* fatal: unauthorized: authentication required”. That’s the only message that I get even in DEBUG. In Notary’s server log I get:
{"go.version":"go1.10.5","http.request.host":"notary.test.com","http.request.id":"92e77c60-5e08-4288-9c4e-d0f21bf78356","http.request.method":"GET","http.request.remoteaddr":"xxx.xx.xx.xx","http.request.uri":"/v2/","http.request.useragent":"Go-http-client/1.1","http.response.contenttype":"application/json; charset=utf-8","http.response.duration":"147.289µs","http.response.status":401,"http.response.written":145,"level":"info","msg":"response completed","time":"2019-01-02T12:48:43Z"}
{"go.version":"go1.10.5","http.request.host":"notary.test.com","http.request.id":"386e4e99-1441-4954-ad9e-80e3a6fa2489","http.request.method":"GET","http.request.remoteaddr":"xxx.xx.xx.xx","http.request.uri":"/v2/","http.request.useragent":"Go-http-client/1.1","http.response.contenttype":"application/json; charset=utf-8","http.response.duration":"310.881µs","http.response.status":401,"http.response.written":145,"level":"info","msg":"response completed","time":"2019-01-02T12:48:51Z"}
Any idea whats causing this? Looking at the configuration above is everything set up correctly or I have missed something?
Another question would be if “cesanta/docker_auth:1” is OK to use with Notary or there is another one that is preferred?
Thank you in advance!