Notary token authentication issue

[bbdtsof]

Hello everyone,

I am struggling to get Notary token authentication to work. I'm using the latest version of the "notary:server" image and for authentication I have deployed the "cesanta/docker_auth:1". Notary's server configuration file looks like the following:

{
	"server": {
		"http_addr": ":5050"
	},
	"trust_service": {
		"type": "remote",
		"hostname": "signerhostname",
		"port": "5151",
		"tls_ca_file": "/cfg/root.crt",
		"key_algorithm": "ecdsa",
		"tls_client_cert": "/cfg/server.crt",
		"tls_client_key": "/cfg/server.key"
	},
	"auth": {
		"type": "token",
		"options": {
			"realm": "https://auth.service.com/auth",
			"service": "notary.test.com",
			"issuer": "auth.service.com",
			"rootcertbundle": "/cfg/auth.crt"
		}
	},
	"storage": {
		"backend": "mysql",
		"db_url": "server@tcp(mysql:3306)/notaryserverdb?parseTime=True"
	},
	"logging": {
		"level": "debug"
	}
} 

And docker_auth configuration looks like this:

# Server settings
server:
  addr: ":5252"

# Token settings
token:
  issuer: "auth.service.com"
  expiration: 300
  certificate: "/cfg/auth.pem"
  key: "/cfg/authkey.pem"

# Authentication method
users:
  "admin":
    password: "$2y$05$LO.vzwpWC5LZGqThvEfdsereewqlpkooxzjkljUadnkjhfo0imlkmsd"

# Authorization method
acl:
  - match: {account: "admin"}
    actions: ["*"]
    comment: "Admin has full access to everything."

Notary is working fine when I remove the authentication section from server's configuration file. Same applies for https://auth.service.com/auth - tokens are generated successfully.

When I enable docker content trust, set the "NOTARY_AUTH" env variable with "export NOTARY_AUTH=$(echo "admin:adminpassword" | base64)" and try to do docker push/pull or a simple notary list command it fails with "* fatal: unauthorized: authentication required". In Notary's server log I get:

{"go.version":"go1.10.5","http.request.host":"notary.test.com","http.request.id":"92e77c60-5e08-4288-9c4e-d0f21bf78356","http.request.method":"GET","http.request.remoteaddr":"xxx.xx.xx.xx","http.request.uri":"/v2/","http.request.useragent":"Go-http-client/1.1","http.response.contenttype":"application/json; charset=utf-8","http.response.duration":"147.289µs","http.response.status":401,"http.response.written":145,"level":"info","msg":"response completed","time":"2019-01-02T12:48:43Z"}
{"go.version":"go1.10.5","http.request.host":"notary.test.com","http.request.id":"386e4e99-1441-4954-ad9e-80e3a6fa2489","http.request.method":"GET","http.request.remoteaddr":"xxx.xx.xx.xx","http.request.uri":"/v2/","http.request.useragent":"Go-http-client/1.1","http.response.contenttype":"application/json; charset=utf-8","http.response.duration":"310.881µs","http.response.status":401,"http.response.written":145,"level":"info","msg":"response completed","time":"2019-01-02T12:48:51Z"}

My first question is does the configuration above look OK?

Also I saw this issue reported some time ago - "#1107" , but its still not clear for me how exactly the Notary and/or authentication endpoints should look like? I tried both https://notary.test.com/v2 and https://notary.test.com/v2/ and they both fail. The first one returns "you are not authorized to perform this operation: server returned 401." and the second one "unable to reach trust server at this time: 301."

Thank you in advance!

[williamlin-suse]

I cannot make it work either. But the behavior on my environment is different.
It looks like auth is not really enabled even after I configured it.

However, in your Notary's server configuration file, shouldn't
"realm": "https://auth.service.com/auth"
be
"realm": "https://auth.service.com:5252/auth"?

[sharmapankaj7]

Did anyone able to make it working? I am also facing same issue.

[bbdtsof]

Hello @cloud-egl ,

Yes, I was able to get it working. Turns out that when it comes to docker pull/push the credentials from your docker daemon (in simple words, these are the ones that you do docker login with) are "forwarded" to Notary and respectively to the auth service (if you start docker_auth in debug mode you will see it for yourself in the logs). Hence, when it comes to docker pull/push the NOTARY_AUTH value is not taken into account. It is used by the notary administrative client, when you execute stuff like notary list, notary init, notary add and etc.

Best Regards,
Boris

[sharmapankaj7]

Hello @bbdtsof ,
Thanks for reply.

In my case authentication is never enabled even after adding auth config, its working without any credentials for notary cli commands and docker push working after adding registory creds. I checked the debugged output also and it is not calling the docker_auth at any steps.

{
        "server": {
                "http_addr": ":4443",
                "tls_key_file": "./notary-server.key",
                "tls_cert_file": "./notary-server.crt"
        },
        "trust_service": {
                "type": "remote",
                "hostname": "notarysigner",
                "port": "7899",
                "tls_ca_file": "./root-ca.crt",
                "key_algorithm": "ecdsa",
                "tls_client_cert": "./notary-server.crt",
                "tls_client_key": "./notary-server.key"
        },
        "logging": {
                "level": "debug"
        },
        "storage": {
                "backend": "memory"
        },
                "auth": {
                "type": "token",
                "options": {
                        "realm": "https://auth.service.com:5001/auth",
                        "service": "notary-server",
                        "issuer": "auth.service.com",
                        "rootcertbundle": "./auth.pem",
                        "autoredirect": true
                }
        }
}

auth.yaml looks like below

# Server settings
server:
  addr: ":5001"
  certificate: "/config/auth.pem"
  key: "/config/authkey.pem"

# Token settings
token:
  issuer: "auth.service.com"
  expiration: 300
  certificate: "/config/auth.pem"
  key: "/config/authkey.pem"

# Authentication method
users:
  "admin":
    password: "QWxhZGRpbjpvcGVuIHNlc2FtZQ=="

# Authorization method
acl:
  - match: {account: "admin"}
    actions: ["*"]
    comment: "Admin has full access to everything."
~

                                              `

[bbdtsof]

Hi @cloud-egl ,

What about the authentication service itself? Did you make it work? If everything is deployed and configured properly when you hit https://auth.service.com:5001/auth in a browser you should get a credentials prompt, and https://auth.service.com:5001 should return the "auth.service.com" string.

Regards,
Boris

[sharmapankaj7]

@bbdtsof,
I am getting below outputs with curl

curl https://auth.service.com:5001 --cacert auth.pem ->

auth.service.com

curl https://auth.service.com:5001/auth --cacert auth.pem -> Auth failed.

Token also generating after passing username: password

[sharmapankaj7]

@bbdtsof ,
I think auth service is working as expected. Any idea why notary is not going to auth service or any specific config file I should check here?