Not permitted to update Repository Description using Personal Access Tokens
jmb12686 opened this issue · 8 comments
Problem description
Ability to update Docker Hub repository description (README) is not allowed when using personal access tokens. This significantly impacts the usability of 2FA (2 factor authentication) and degrades the security posture when attempting to automate all aspects of a build and deploy pipeline to Docker Hub. To note: Using Docker Hub automated builds is not an option for me or my organization at this time.
Furthermore, this functionality was allowed for personal access tokens between 1-2 months ago, until recently when I attempted to run an automated CI job to update my repository description. What is the rationale to limit usability of 2FA and personal access tokens? What options are available besides turning of 2FA and/or using Docker Hub automated builds?
Current Error:
➜ LOGIN_PAYLOAD="{\"username\": \"jmb12686\", \"password\": \"REDACTED\"}"
➜ TOKEN=$(curl -s -H "Content-Type: application/json" -X POST -d ${LOGIN_PAYLOAD} https://hub.docker.com/v2/users/login/ | jq -r .token)
➜ README_FILEPATH=${README_FILEPATH:="./README.md"}
➜ REPO_URL="https://hub.docker.com/v2/repositories/jmb12686/cadvisor/"
➜ curl -v -H "Authorization: JWT ${TOKEN}" -X PATCH --data-urlencode full_description@${README_FILEPATH} ${REPO_URL}
* Trying 3.92.111.237...
* TCP_NODELAY set
* Connected to hub.docker.com (3.92.111.237) port 443 (#0)
.....truncating curl output......
{"detail": "access to the resource is forbidden with personal access token"}%
➜ Security Issues
N/A - Though security is affected due to the requirement now that user credentials (not personal access tokens) are necessary to update Hub repository description thru API. 2FA must be disabled now too.
This is intentional. Personal access tokens (for now) are only meant to access hub registry (docker push|pull) primarily for CI use-case. We deliberately do not allow all API access. Otherwise it defeats the purpose of having 2FA if everything can be accessed via token without second factor. Longer term we do plan to add scopes to tokens to allow other APIs.
Also please note that Hub APIs (while easy to decipher from the browser) are not officially supported. We do realize lot of people use it anyways and will work towards officially supporting it by providing documentation.
Furthermore, this functionality was allowed for personal access tokens between 1-2 months ago
This was a mistake. We never intended to roll out with full API access. We've since disabled it.
@manishtomar Thank you for clarifying. However, I strongly feel that CI use-cases for updating Docker Hub repository descriptions should be accounted for in your security / access models. Using personal access tokens to push/pull defeats far more purposes of 2FA than updating repository documentation.
In the end, updating a repository documentation by manually logging in, copy, and paste is a sub-optimal experience. Please consider supporting this within the docker cli or via some other official programmatic method.
I agree with @jmb12686. This is especially true for those doing continuous integration and deployment.
@jmb12686 Thank you for the feedback. We will consider it.
I'm also in a similar situation and had updates to the description on dockerhub automated in my CI workflow. Not being able to do this automatically any more is rather inconvenient and a bit annoying tbh. I'm strongly in support for having this capability exposed via a cli or an API call. Thanks for your consideration @manishtomar 👍
So right now I need to disable 2FA to update my descriptions automatically?
Sounds like API Token should be able to be used for the API.
Created roadmap item related to this: docker/roadmap#115. Please consider upvoting if you are interested in it.
It's really unfortunate that docker/roadmap#115 , rolled recently, did not address the ability to update descriptions via PAT, when it was created specifically because of this. And now, it's closed too.