Pull through cache does not allow anonymous image pulls

[PotentialIngenuity]

Version
pulp-core: 3.53.0
pulp-container: 2.20.0

Describe the bug

I have a pull-through cache setup and I want to be able to pull images anonymously. It does work if i login with the admin user.

docker image pull repo.company.com/docker-cache/library/nginx
Using default tag: latest
Error response from daemon: pull access denied for repo.company.com/docker-cache/library/nginx, repository does not exist or may require 'docker login': denied: requested access to the resource is denied

pulp [32c666eb5fa14a41aa680ee5cf657077]: django.request:WARNING: Unauthorized: /v2/
('pulp [32c666eb5fa14a41aa680ee5cf657077]: ::ffff:172.18.0.11 - - [16/May/2024:21:25:06 +0000] "GET /v2/ HTTP/1.0" 401 106 "-" "docker/26.1.1 go/go1.21.9 git-commit/ac2de55 kernel/6.6.26-linuxkit os/linux arch/amd64 UpstreamClient(Docker-Client/26.1.1 \(darwin\))"',)
pulp [26c54f4270bc4301bb1efd2a74edb075]: django.request:WARNING: Unauthorized: /v2/docker-cache/library/nginx/manifests/latest
('pulp [26c54f4270bc4301bb1efd2a74edb075]: 2001:db8:1::b - - [16/May/2024:21:25:08 +0000] "GET /v2/docker-cache/library/nginx/manifests/latest HTTP/1.0" 401 85 "-" "docker/26.1.1 go/go1.21.9 git-commit/ac2de55 kernel/6.6.26-linuxkit os/linux arch/amd64 UpstreamClient(Docker-Client/26.1.1 \(darwin\))"',)

Using the admin user

docker login repo.company.com
Username: admin
Password:
Login Succeeded

docker image pull repo.company.com/docker-cache/library/nginx
Using default tag: latest
latest: Pulling from docker-cache/library/nginx
09f376ebb190: Pull complete
a11fc495bafd: Pull complete
933cc8470577: Pull complete
999643392fb7: Pull complete
971bb7f4fb12: Pull complete
45337c09cd57: Pull complete
de3b062c0af7: Pull complete
Digest: sha256:a484819eb60211f5299034ac80f6a681b06f89e65866ce91f356ed7c72af059c
Status: Downloaded newer image for repo.company.com/docker-cache/library/nginx:latest
repo.company.com/docker-cache/library/nginx:latest

Expected behavior
The pull should work without needing to login

Additional context
Previous Discussion: https://matrix.to/#/!HWvLQmBGVPfJfTQBAu:matrix.org/$xdzKq3fygVI6w0ginypdtaodaRJhi7Yx6aMTgSowSP0?via=matrix.org&via=ctrl-c.liu.se&via=x9c4.spdns.org

[lubosmj]

I can reproduce the behaviour locally. Anonymous tokens do not contain any allowed actions.

{
  "access": [
    {
      "type": "repository",
      "name": "docker-cache/library/busybox",
      "actions": []
    },
    {
      "type": "repository",
      "name": "docker-cache/library/busybox",
      "actions": []
    }
  ],
  "aud": "localhost:5001",
  "exp": 1715940684,
  "iat": 1715940384,
  "iss": "http://localhost:5001/token/",
  "jti": "4abb6f80-096b-4311-9bf3-faa796e6c10d",
  "nbf": 1715940384,
  "sub": ""
}

[lubosmj]

The issue is that in the current context, anonymous users are not allowed to create new distributions or access distributions within a specific namespace by default. When you pull an image through a pull-through cache distribution, you are creating a normal distribution in the background. If you pull the image with an admin user first and then with the anonymous users, it works.

I guess we need to revisit how we assign/give permissions during the pull-through caching.

[lubosmj]

Okay, after thorough investigation I think I found the root cause of the problem. We are checking the view_distribution permission in the authorization code. The execution ends on this evaluating to False, meaning that a user that does not have permissions to view distributions within a namespace is not able to pull content.

[lubosmj]

The open question is if we want to enable anonymous users, logged-in users, or users with valid permissions to pull content via the pull-through distribution. The related issue is one of the examples where if we define a correct permission set for a custom role, a user with that role is allowed to pull content via the pull-through distribution successfully: #1624 (comment).

Are there any security implications of allowing everyone to bloat the caching distribution? We can end up having un-trusted anonymous users pulling everything from third-party registries.

[grzleadams]

The only user Pulp creates is admin... has any thought been given to creating an internal anonymous or non_authenticated user (or something similar) that roles could be assigned to (but wouldn't actually be authenticated against externally)? Then it would be up to the repository creator to make that decision.

[ipanova]

https://hackmd.io/a1VPKZKySJCHEHMCZ-qdPA Doc with options

[lubosmj]

Decision:

We will not store AnonymousUser in the database.

If the pull-through cache distribution is configured as private=True, no anonymous users should see or pull content through it. The flag will be propagated to distributions created in the background. When private=False, distributions will be public and the anonymous users will be able to pull content that is only locally cached. They will not be able to download latest content from the remote source.

With RBAC disabled, all (pull-through) distributions are public. Thus, in this case, we would enable anonymous users to pull content through it freely. It will be up to admins to manage the storage size.