LDAP users with dots - notification does not work

[dohnto]

Hello, we have a LDAP users, which do have to be escaped when used as a docker namespaces (e.g user f.s), which results in fs.

When I push new docker image to a registry (using docker login -u fs (not f.s - bummer - cannot this be fixed?)), the notification fails and no image can be seen in Portus until crono makes its job.

In the log, I can see:

User Load (0.6ms)  SELECT  `users`.* FROM `users` WHERE `users`.`ldap_name` = 'fs' LIMIT 1
Cannot find user fs

I am not sure, whether this error is related with the notification error, but might.

[mssola]

Theoretically, you can login with f.s. What won't be accepted is that your namespace is f.s. But, if I'm not wrong, you should be able to log in with f.s and push your image (from the top of my head, I'd have to check :P).

[mssola]

See in the documentation:

The real LDAP name is only used for authentication (both in Portus, and in the Docker CLI).

[dohnto]

The real LDAP name is only used for authentication (both in Portus, and in the Docker CLI).

Ok I see, I can use my LDAP name in Docker CLI BUT only with LDAP password, not with token.

But still I encounter this error:

# my LDAP name is first.second
# I am using firstsecond so I can use token
$ docker login -u firstsecond -p 9Dmabxjkma7nXHNZRBeK -e my@email.com registry.dev
$ docker push registry.dev/my_image:stable
$ docker logs -f portus_web_1
...
Started GET "/v2/token?account=portus&scope=repository%3Amy_image%3Apull&service=registry.dev" for 172.17.0.1 at 2016-02-15 15:40:08 +0100
Cannot render console from 172.17.0.1! Allowed networks: 127.0.0.1, ::1, 127.0.0.0/127.255.255.255
Processing by Api::V2::TokensController#show as JSON
  Parameters: {"account"=>"portus", "scope"=>"repository:my_image:pull", "service"=>"registry.dev"}
  User Load (0.6ms)  SELECT  `users`.* FROM `users` WHERE `users`.`username` = 'portus' LIMIT 1
  ApplicationToken Load (0.3ms)  SELECT `application_tokens`.* FROM `application_tokens` WHERE `application_tokens`.`user_id` = 1
  Registry Load (0.3ms)  SELECT  `registries`.* FROM `registries` WHERE `registries`.`hostname` = 'registry.dev' LIMIT 1
  Namespace Load (0.3ms)  SELECT  `namespaces`.* FROM `namespaces` WHERE `namespaces`.`registry_id` = 1 AND `namespaces`.`global` = 1 LIMIT 1
  User Load (0.4ms)  SELECT  `users`.* FROM `users` WHERE `users`.`username` = 'portus'  ORDER BY `users`.`id` ASC LIMIT 1
   (0.3ms)  BEGIN
  SQL (0.3ms)  UPDATE `users` SET `current_sign_in_at` = '2016-02-15 14:40:08', `sign_in_count` = 1261, `updated_at` = '2016-02-15 14:40:08' WHERE `users`.`id` = 1
   (0.9ms)  COMMIT
[jwt_token] [claim] {:iss=>"registry.dev", :sub=>"portus", :aud=>"registry.dev", :iat=>1455547208, :nbf=>1455547203, :exp=>1455547508, :jti=>"euwd1hLyvrtvqXKgjEBhVrAA8FtBZ76w4W7Cng8Goe", :access=>[{:type=>"repository", :name=>"my_image", :actions=>["pull"]}]}
Completed 200 OK in 110ms (Views: 0.2ms | ActiveRecord: 3.4ms)
[100] 172.17.0.4 - - [15/Feb/2016:15:40:08 +0100] "GET /v2/token?account=portus&scope=repository%3Amy_image%3Apull&service=registry.dev HTTP/1.0" 200 - 0.1164
  User Load (0.6ms)  SELECT  `users`.* FROM `users` WHERE `users`.`ldap_name` = 'firstsecond' LIMIT 1
Cannot find user firstsecond
Completed 202 Accepted in 316ms (ActiveRecord: 1.1ms)
[92] 172.17.0.2 - - [15/Feb/2016:15:40:08 +0100] "POST /v2/webhooks/events HTTP/1.0" 202 - 0.3225
...

Note the Cannot find user firstsecond (my LDAP name is first.second !) therefore the webhook event from registry does not pass no my_image cannot be seen in Portus web.

I am not sure, If i explain the situation correctly, feel free to ask more questions :)

[mssola]

Could you pass me the logs when you try to perform:

$ docker login -u first.second -p 9Dmabxjkma7nXHNZRBeK -e my@email.com registry.dev

Note that I'm using the ldap name.

[dohnto]

Started GET "/v2/token?account=first.second&service=registry.dev" for 172.17.0.1 at 2016-02-15 16:30:47 +0100
Cannot render console from 172.17.0.1! Allowed networks: 127.0.0.1, ::1, 127.0.0.0/127.255.255.255
Processing by Api::V2::TokensController#show as JSON
  Parameters: {"account"=>"first.second", "service"=>"registry.dev"}
  User Load (0.6ms)  SELECT  `users`.* FROM `users` WHERE `users`.`username` = 'first.second' LIMIT 1
  Registry Load (0.3ms)  SELECT  `registries`.* FROM `registries` WHERE `registries`.`hostname` = 'registry.dev' LIMIT 1
Completed 401 Unauthorized in 94ms (ActiveRecord: 1.0ms)
[100] 10.0.133.218 - - [15/Feb/2016:16:30:47 +0100] "GET /unauthenticated?account=first.second&service=registry.dev HTTP/1.0" 401 - 0.1015

[mssola]

That's the error really. The thing is that when logging in you have to use your ldap name, so in your case first.second. The error you were having before is that it was trying to find the user with ldap_name but you provided through login the user name. So, there are two main things here:

1. BUG: for some reason the combo ldap_name and application token is not working.
2. Maybe we should be more flexible, and in LDAP allow both the ldap_name and the username. This way we would avoid the confusion about ldap_name vs username.

@flavio @dohnto what do you think ?

[dohnto]

1. This must be fixed :)
2. What about disabling username for Docker CLI login when LDAP is enabled? It would be schizophrenic to use only first.second on the Portus web but firstsecond or even both first.second and firstsecond in Docker CLI.

But this is my 'user' point of view, I don't know the implementation details (LDAP names and usernames collisions etc).

[dohnto]

I actually don't see a point in having separated ldap_name and username, is this really necessary? Couldn't there be just username and potentially a namespace if ldap_name doesn't meet some criteria (namespace = strip(username)), otherwise namespace = username.

[mssola]

This must be fixed :)

Yeah, the question was for the second point :D

What about disabling username for Docker CLI login when LDAP is enabled? It would be schizophrenic to use only first.second on the Portus web but firstsecond or even both first.second and firstsecond in Docker CLI.

That actually makes sense. We could forbid username everywhere for LDAP users if this makes more sense. We could also reflect that visually (e.g. when listing users). This has thing has also been requested before by the way.

The main point against all this is that the personal namespace must be the same as the username. This is because the restriction of docker names. Because of this, it might be confusing that the username that you are using is first.second, but your personal namespace is firstsecond. That's why I suggested the middle-ground of allowing both (but, as you said, this can also be confusing :D).

[mssola]

I actually don't see a point in having separated ldap_name and username, is this really necessary? Couldn't there be just username and potentially a namespace if ldap_name doesn't meet some criteria (username = strip(username)), otherwise namespace = username.

But the separation still remains right ? You need a column for the real name (ldap_name in this case), and the stripped username in case the ldap_name is invalid, so it can be used to identify your personal namespace. So, maybe the names of the columns being used are not that obvious, but they in the end reflect the same idea.

That being said, maybe what you are proposing is more elegant because in your way you'd have a username which is the one to be used always, and the namespace, which would identify the personal namespace of the user (which would've been stripped on creation time). This way we would avoid some if LDAP.enabled? in the code, and some bugs in the future possibly. I'll take a look into this, but if we change it, we should also provide an "upgrade" task for this specific case.

[dohnto]

I agree that it is more less the same thing, but username + namespace is more transparent than username + ldap_name.

Also it would probably solve all small issues (from my point of view) with mentioning username / ldap_name:

• In dashboard: firstsecond created a token for the "test" application
• In the top-right, I can see my username firstsecond
• in admin/users, there is also firstsecond, etc.

[mssola]

Yes, makes sense. I've created the issue #736 for this ;)