-
Notifications
You must be signed in to change notification settings - Fork 307
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Authentication via certificates #300
Comments
Not possible currently, however I'm interested if you have an example from another provider including how to log in w/ docker (or other compatible OCI client) as all I can find is some vague examples w/ nginx |
Currently the docker registry server's config.yml allows you to specify clientcas to give trusted CAs. This allows only clients that have a client certificate in /etc/containers/certs.d/localhost:5000 that is signed by a a trusted CA. You can substitute the localhost:5000 with the endpoint of your registry, obviously. This works great, but does not allow the ACLs to be applied. I am using podman 2.2.1, but I know docker has a similar capability. Is there any way to piggy back off of the client certificates in the certs.d subdirectories? |
we could retrieve attributes of the client cert and add them to labels so authz phase could access them |
Is authz the authorization phase, i.e. ACL? Could the CN be treated as account and O as the group? That is similar to what kuberenetes does with their certificates. |
yes, authz is the authorization / ACL matching phase, authn (authentication) in this case is the TLS handshake. |
so, e.g. CN value will be put into |
That sounds good! |
TLS certificate can be accessed via the |
Is there a way to authenticate using docker_auth via client certificates instead of username/password?
All of the information uses a username password combo instead of client certificates.
The text was updated successfully, but these errors were encountered: