-
Notifications
You must be signed in to change notification settings - Fork 470
LDAP users with dots - notification does not work #732
Comments
Theoretically, you can login with |
See in the documentation:
|
Ok I see, I can use my LDAP name in Docker CLI BUT only with LDAP password, not with token. But still I encounter this error: # my LDAP name is first.second
# I am using firstsecond so I can use token
$ docker login -u firstsecond -p 9Dmabxjkma7nXHNZRBeK -e my@email.com registry.dev
$ docker push registry.dev/my_image:stable
$ docker logs -f portus_web_1
...
Started GET "/v2/token?account=portus&scope=repository%3Amy_image%3Apull&service=registry.dev" for 172.17.0.1 at 2016-02-15 15:40:08 +0100
Cannot render console from 172.17.0.1! Allowed networks: 127.0.0.1, ::1, 127.0.0.0/127.255.255.255
Processing by Api::V2::TokensController#show as JSON
Parameters: {"account"=>"portus", "scope"=>"repository:my_image:pull", "service"=>"registry.dev"}
User Load (0.6ms) SELECT `users`.* FROM `users` WHERE `users`.`username` = 'portus' LIMIT 1
ApplicationToken Load (0.3ms) SELECT `application_tokens`.* FROM `application_tokens` WHERE `application_tokens`.`user_id` = 1
Registry Load (0.3ms) SELECT `registries`.* FROM `registries` WHERE `registries`.`hostname` = 'registry.dev' LIMIT 1
Namespace Load (0.3ms) SELECT `namespaces`.* FROM `namespaces` WHERE `namespaces`.`registry_id` = 1 AND `namespaces`.`global` = 1 LIMIT 1
User Load (0.4ms) SELECT `users`.* FROM `users` WHERE `users`.`username` = 'portus' ORDER BY `users`.`id` ASC LIMIT 1
(0.3ms) BEGIN
SQL (0.3ms) UPDATE `users` SET `current_sign_in_at` = '2016-02-15 14:40:08', `sign_in_count` = 1261, `updated_at` = '2016-02-15 14:40:08' WHERE `users`.`id` = 1
(0.9ms) COMMIT
[jwt_token] [claim] {:iss=>"registry.dev", :sub=>"portus", :aud=>"registry.dev", :iat=>1455547208, :nbf=>1455547203, :exp=>1455547508, :jti=>"euwd1hLyvrtvqXKgjEBhVrAA8FtBZ76w4W7Cng8Goe", :access=>[{:type=>"repository", :name=>"my_image", :actions=>["pull"]}]}
Completed 200 OK in 110ms (Views: 0.2ms | ActiveRecord: 3.4ms)
[100] 172.17.0.4 - - [15/Feb/2016:15:40:08 +0100] "GET /v2/token?account=portus&scope=repository%3Amy_image%3Apull&service=registry.dev HTTP/1.0" 200 - 0.1164
User Load (0.6ms) SELECT `users`.* FROM `users` WHERE `users`.`ldap_name` = 'firstsecond' LIMIT 1
Cannot find user firstsecond
Completed 202 Accepted in 316ms (ActiveRecord: 1.1ms)
[92] 172.17.0.2 - - [15/Feb/2016:15:40:08 +0100] "POST /v2/webhooks/events HTTP/1.0" 202 - 0.3225
... Note the Cannot find user firstsecond (my LDAP name is first.second !) therefore the webhook event from registry does not pass no I am not sure, If i explain the situation correctly, feel free to ask more questions :) |
Could you pass me the logs when you try to perform:
Note that I'm using the ldap name. |
Started GET "/v2/token?account=first.second&service=registry.dev" for 172.17.0.1 at 2016-02-15 16:30:47 +0100
Cannot render console from 172.17.0.1! Allowed networks: 127.0.0.1, ::1, 127.0.0.0/127.255.255.255
Processing by Api::V2::TokensController#show as JSON
Parameters: {"account"=>"first.second", "service"=>"registry.dev"}
User Load (0.6ms) SELECT `users`.* FROM `users` WHERE `users`.`username` = 'first.second' LIMIT 1
Registry Load (0.3ms) SELECT `registries`.* FROM `registries` WHERE `registries`.`hostname` = 'registry.dev' LIMIT 1
Completed 401 Unauthorized in 94ms (ActiveRecord: 1.0ms)
[100] 10.0.133.218 - - [15/Feb/2016:16:30:47 +0100] "GET /unauthenticated?account=first.second&service=registry.dev HTTP/1.0" 401 - 0.1015 |
That's the error really. The thing is that when logging in you have to use your ldap name, so in your case
|
But this is my 'user' point of view, I don't know the implementation details (LDAP names and usernames collisions etc). |
I actually don't see a point in having separated |
Yeah, the question was for the second point :D
That actually makes sense. We could forbid The main point against all this is that the personal namespace must be the same as the |
But the separation still remains right ? You need a column for the real name ( That being said, maybe what you are proposing is more elegant because in your way you'd have a |
I agree that it is more less the same thing, but Also it would probably solve all small issues (from my point of view) with mentioning
|
Yes, makes sense. I've created the issue #736 for this ;) |
This has been done in two steps: 1. First of all I've introduced the `namespace_id` column to the `users` table. This means that from now own there is no mapping from users and their personal namespaces through the `username` column, from now on it's done with a plain SQL foreign key. 2. From the previous step, we get that restricting the username is no longer needed. Instead, the format of the username has been greatly relaxed, so the only concerns are: - It is unique in the DB. - We can produce a namespace for it. If the username is not a valid namespace name, then the resulting namespace will have its name altered so it can be valid. If it cannot be valid, then user creation will fail (which is very unlikely: this only happens in cases like "?" or something like that). Fixes SUSE#732 Fixes SUSE#736 Signed-off-by: Miquel Sabaté Solà <msabate@suse.com>
This has been done in two steps: 1. First of all I've introduced the `namespace_id` column to the `users` table. This means that from now own there is no mapping from users and their personal namespaces through the `username` column, from now on it's done with a plain SQL foreign key. 2. From the previous step, we get that restricting the username is no longer needed. Instead, the format of the username has been greatly relaxed, so the only concerns are: - It is unique in the DB. - We can produce a namespace for it. If the username is not a valid namespace name, then the resulting namespace will have its name altered so it can be valid. If it cannot be valid, then user creation will fail (which is very unlikely: this only happens in cases like "?" or something like that). Fixes SUSE#732 Fixes SUSE#736 Signed-off-by: Miquel Sabaté Solà <msabate@suse.com>
This has been done in two steps: 1. First of all I've introduced the `namespace_id` column to the `users` table. This means that from now own there is no mapping from users and their personal namespaces through the `username` column, from now on it's done with a plain SQL foreign key. 2. From the previous step, we get that restricting the username is no longer needed. Instead, the format of the username has been greatly relaxed, so the only concerns are: - It is unique in the DB. - We can produce a namespace for it. If the username is not a valid namespace name, then the resulting namespace will have its name altered so it can be valid. If it cannot be valid, then user creation will fail (which is very unlikely: this only happens in cases like "?" or something like that). Fixes SUSE#732 Fixes SUSE#736 Signed-off-by: Miquel Sabaté Solà <msabate@suse.com>
This has been done in two steps: 1. First of all I've introduced the `namespace_id` column to the `users` table. This means that from now own there is no mapping from users and their personal namespaces through the `username` column, from now on it's done with a plain SQL foreign key. 2. From the previous step, we get that restricting the username is no longer needed. Instead, the format of the username has been greatly relaxed, so the only concerns are: - It is unique in the DB. - We can produce a namespace for it. If the username is not a valid namespace name, then the resulting namespace will have its name altered so it can be valid. If it cannot be valid, then user creation will fail (which is very unlikely: this only happens in cases like "?" or something like that). Fixes SUSE#732 Fixes SUSE#736 Signed-off-by: Miquel Sabaté Solà <msabate@suse.com>
This has been done in two steps: 1. First of all I've introduced the `namespace_id` column to the `users` table. This means that from now own there is no mapping from users and their personal namespaces through the `username` column, from now on it's done with a plain SQL foreign key. 2. From the previous step, we get that restricting the username is no longer needed. Instead, the format of the username has been greatly relaxed, so the only concerns are: - It is unique in the DB. - We can produce a namespace for it. If the username is not a valid namespace name, then the resulting namespace will have its name altered so it can be valid. If it cannot be valid, then user creation will fail (which is very unlikely: this only happens in cases like "?" or something like that). Fixes SUSE#732 Fixes SUSE#736 Signed-off-by: Miquel Sabaté Solà <msabate@suse.com>
This has been done in two steps: 1. First of all I've introduced the `namespace_id` column to the `users` table. This means that from now own there is no mapping from users and their personal namespaces through the `username` column, from now on it's done with a plain SQL foreign key. 2. From the previous step, we get that restricting the username is no longer needed. Instead, the format of the username has been greatly relaxed, so the only concerns are: - It is unique in the DB. - We can produce a namespace for it. If the username is not a valid namespace name, then the resulting namespace will have its name altered so it can be valid. If it cannot be valid, then user creation will fail (which is very unlikely: this only happens in cases like "?" or something like that). Fixes SUSE#732 Fixes SUSE#736 Signed-off-by: Miquel Sabaté Solà <msabate@suse.com>
Hello, we have a LDAP users, which do have to be escaped when used as a docker namespaces (e.g user
f.s
), which results infs
.When I push new docker image to a registry (using
docker login -u fs
(notf.s
- bummer - cannot this be fixed?)), the notification fails and no image can be seen in Portus until crono makes its job.In the log, I can see:
I am not sure, whether this error is related with the notification error, but might.
The text was updated successfully, but these errors were encountered: