Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve Notation authentication experience #503

Closed
FeynmanZhou opened this issue Jan 9, 2023 · 9 comments
Closed

Improve Notation authentication experience #503

FeynmanZhou opened this issue Jan 9, 2023 · 9 comments
Assignees
@ningziwen
Labels
enhancement New feature or request triage Need to triage
Milestone
1.0.0

Comments

@FeynmanZhou
Copy link
Member

FeynmanZhou commented Jan 9, 2023
edited
Loading

What is the areas you would like to add the new feature to?

Notation CLI

Is your feature request related to a problem?

Notation has a command notation login to enable authentication with registries. It should allow users to input a username and password from the prompted response when using notation login sample.registry.com.

What solution do you propose?

The expected experience is as follows:

notation login sample.registry.com
Username: xxx
Password: 
Login Succeeded

What alternatives have you considered?

None

Any additional context?

No response
@FeynmanZhou FeynmanZhou added enhancement New feature or request triage Need to triage labels Jan 9, 2023
@FeynmanZhou FeynmanZhou added this to the RC-3 milestone Jan 17, 2023
@FeynmanZhou
Copy link
Member Author

FeynmanZhou commented Jan 29, 2023
edited
Loading

I also detected another problem when using notation login with the flag --password-stdin, it requires users to input the password explicitly but without any correct return. This should be a bug.

cc @JeyJeyGao

@JeyJeyGao
Copy link
Contributor

I also detected another problem when using notation login with the flag --password-stdin, it requires users to input the password explicitly but without any correct return. This should be a bug.

cc @JeyJeyGao

Confirmed the bug.

@duffney
Copy link
Contributor

duffney commented Feb 12, 2023

@FeynmanZhou is it possible to use docker login to authenticate notation to a remote registry? Being able to share that docker login credentials would safe the user from having to authenticate to the same registry twice. Once for the container push and a second time for the signing.

@ningziwen
Copy link
Contributor

ningziwen commented Feb 20, 2023
edited
Loading

docker login or the login in other tools basically store the credentials in a local file by default. For Docker, it is ~/.docker/config.json.

I like the idea of sharing credentials to prevent users authenticating twice. Instead of sharing crednetial only for Docker, how about adding a credential path feature to let users point any config.json locally?

Users can simply put "DockerConfig" keyword in "credStore" in notation config, then notation will use $DOCKER_CONFIG/config.json as the plain test credential store. ($DOCKER_CONFIG is ~/.docker by default but can be overriden by users)

notation login and notation logout still work against whatever the docker-style config.json users point to.

WDYT? I could try to implement this if this sounds good. @FeynmanZhou

@FeynmanZhou
Copy link
Member Author

FeynmanZhou commented Feb 22, 2023
edited
Loading

@ningziwen Thanks for your interest. Yes, I agree with @duffney and your proposal of sharing and reusing the Docker credential store within Notation authentication. If users log in to a registry with docker login, Notation will be able to reuse ~/.docker/config.json to authenticate with that registry without additional configuration. I believe it will simplify the authentication experience.

As this issue is tracking an authentication UX bug in notation login, shall I create a new issue for implementing this proposal above? Then you can pick it up if you are interested.

@ningziwen
Copy link
Contributor

@FeynmanZhou Having a new issue sounds good to me. Thanks!

@ningziwen ningziwen mentioned this issue Feb 23, 2023
Merged
@ningziwen
Copy link
Contributor

Opened a draft PR. I have a question about tests. Appreciated for any help.

@vaninrao10 vaninrao10 modified the milestones: RC-3, RC-4 Mar 1, 2023
@FeynmanZhou FeynmanZhou mentioned this issue Mar 24, 2023
Closed
@toddysm
Copy link
Contributor

toddysm commented Mar 24, 2023

Will the proposed implementation cover improvements in the error messages returned by the CLI as described in notaryproject/notaryproject.dev#156?

@FeynmanZhou FeynmanZhou mentioned this issue Mar 25, 2023
Merged
shizhMSFT pushed a commit that referenced this issue Apr 13, 2023
@ningziwen
feat: Support username and password prompt in login (#566)
14a2d2b 
#503

Added e2e tests. The current unit tests don't have RunE() testing code.
Adding the unit test could lead to lots of refactoring. I'm happy to
help the refactoring and start the unit tests of RunE() but I think it
is better to be in a separated PR. Adding lots of unit test refactoring
could mess up this PR.

TODO: Seems login requires credential helper. Need to install credential
helper as a test step.

Signed-off-by: Ziwen Ning <[email protected]>
@yizha1 yizha1 modified the milestones: RC-4, 1.0.0 Apr 24, 2023
@FeynmanZhou
Copy link
Member Author

@toddysm Yes. The error message improvement will be covered by #600.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ningziwen ningziwen

Labels
enhancement New feature or request triage Need to triage
Projects
Notary Project Planning Board
Status: Done
Milestone
1.0.0
Development

No branches or pull requests
7 participants
@toddysm @duffney @ningziwen @FeynmanZhou @JeyJeyGao @yizha1 @vaninrao10