Added authentication service for docker registry

This adds a simple authentication service for docker which uses current user credentials to authenticate pulls and pushes.

I have only one concern. Since the .docker/config is unencrypted, thus the password for user stored there is unencrypted, maybe we should from the start implement function to generate/provide a separate password just for the purposes of accessing docker registry?

What do you think @jacobvosmaer @sytses @marin?

cc @marin

mentioned in issue #14717 (closed)

The only thing that this MR can be missing is project removal. We should remove all images also from docker registry.

Added 1 commit:

• df75bafc - Make images_enabled configurable

@ayufan Can we just put a big warning somewhere that the password is stored in .docker/config, at least for now? If we provide separate password we are limiting the usability of this feature.

I thought about this solution:

1. We ship it as it is,
2. We later allow to generate docker-specific password, and if this password is set you will have to use it.

mentioned in merge request !3738 (closed)

@fh1ch Oh, nice. I was not aware of this :)

@ayufan What about providing a general solution to set different passwords that have limited permissions? For example a specific password that could only be used to clone via HTTP. This would be useful where the user logges in using some externel auth provider like OAuth and dosn't have password.

Google is providing a similar solution, I think they call it App Password. There it is importatnt if you are using two factor authentication and still want to use your account with a non OAuth enabled software like for example a mail client.

@bachp It's generally good and wise idea, but it's not tied to only Docker integration and I think that we should think about it on much higher level.

What do you think about the above?

This are my plans how we could enhance the registry integration: https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/3738#note_4885480.

@bachp That's an awesome idea. Wouldn't it even be possible to handle this via an OAuth token, since they already provide scoping (related to issue #13951 (closed)), limited lifetime and a workflow to refresh and revoke?

I like your implementation. And I also think it's OK to defer the password problem to a later phase. After all the stored password is not only a problem for gitlab.

Did you test this against docker distribution or the old docker registry?

@fh1ch I'm not sure what's the best way to provide the password. It could be a oauth token I guess. In the google case they are just generating random string that you can copy once after that it's never shown again. If you loose it just delete the App Password and generate a new one.

Docker Distribution, we need to use API v2.

mentioned in issue #3299 (closed)

Posting here so I don't forget, at this moment it is not possible to auth if you don't specify scope in registry config.yml, the error is: error parsing HTTP 400 response body: no error details found in HTTP response body: "{\"message\":\"400 (Bad request) \\\"scope\\\" not given\"}"

Kamil is aware of this and will take a look once he has time.

Yes, this is a case then you login to Docker Registry, not actually push image. I'll handle it.

Added 1 commit:

• 6406223c - Try to fix auth service