PAM Authentication
The pam_auth plugin allows users to login to sregistry using the unix accounts on
the host system.
To enable PAM authentication you must:
- Add
pam_authto thePLUGINS_ENABLEDlist inshub/settings/config.py - Uncomment binds to /etc/shadow and /etc/passwd in
docker compose.yml - Build the docker image with the build argument ENABLE_PAM set to true More detailed instructions are below.
Permissions
The rules with respect to user collections still hold true - each user is given
push access given that they are added to a team, or USER_COLLECTIONS is true,
and each user will still each need to export their token to push. You can read more about roles here, and more about teams to manage groups of people.
Getting Started
This is the detailed walkthough to set up the PAM AUthentication plugin.
First, uncomment “pam_auth” at the bottom of shub/settings/config.py to
enable the login option.
PLUGINS_ENABLED = [
# 'ldap_auth',
'pam_auth',
# 'globus',
# 'saml_auth'
]
Since we need to get access to users from the host,
you need to edit the docker compose.yml and uncomment binds to your host:
uwsgi:
restart: always
image: ghcr.io/singularityhub/sregistry
volumes:
- .:/code
- ./static:/var/www/static
- ./images:/var/www/images
# uncomment for PAM auth
#- /etc/passwd:/etc/passwd
#- /etc/shadow:/etc/shadow
links:
- redis
- db
If you do this, we lose the user added in the container for nginx! You also need to add the nginx user to your host:
$ sudo addgroup --system nginx
$ sudo adduser --disabled-login --system --home /var/cache/nginx --ingroup nginx nginx
Note that this solution would require restarting the container for changes on the host to take effect (for example, adding new users). If you find a better way to do this, please test and open an issue to add to this documentation.
Finally, you must build the docker image with the build argument ENABLE_PAM set to true:
$ docker build --build-arg ENABLE_PAM=true -t ghcr.io/singularityhub/sregistry .