Skip to content

Comments

notation login CLI#223

Merged
SteveLasker merged 5 commits intomainfrom
issue-119
Jul 12, 2022
Merged

notation login CLI#223
SteveLasker merged 5 commits intomainfrom
issue-119

Conversation

@SteveLasker
Copy link
Contributor

Updates for #119
Signed-off-by: Steve Lasker stevenlasker@hotmail.com

Signed-off-by: Steve Lasker <stevenlasker@hotmail.com>
@SteveLasker SteveLasker added this to the RC-1 milestone Jul 6, 2022
@SteveLasker SteveLasker requested a review from a team July 6, 2022 00:06
Signed-off-by: Steve Lasker <stevenlasker@hotmail.com>
Signed-off-by: Steve Lasker <stevenlasker@hotmail.com>
Signed-off-by: Steve Lasker <stevenlasker@hotmail.com>
@SteveLasker SteveLasker mentioned this pull request Jul 6, 2022
4 tasks
@shizhMSFT
Copy link
Contributor

/cc @binbin-li for comments

Copy link
Contributor

@shizhMSFT shizhMSFT left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM with suggestions.

Comment on lines 143 to 144
--username value, -u value Username for registry operations
--password value, -p value Password for registry operations
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How about environment variables associated with -u and -p like NOTATION_USERNAME and NOTATION_PASSWORD?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
--username value, -u value Username for registry operations
--password value, -p value Password for registry operations
--username value, -u value Username for registry authentication
--password value, -p value Password for registry authentication

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we also support --password-stdin like docker cli does?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For operations vs. authentication, I was thinking saying authentication was too obvious, and used the more generic, the -u/-p was used for multiple registry operations. If others feel different, I can change to either way.

<server> The registry URL for authentication

GLOBAL ARGUMENTS
--plain-http Registry access via plain HTTP (default: false)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It seems we only support basic configurations. Will we support more parameters like --insecure and --ca-file as oras?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@shizhMSFT, what is --insecure used for, and how common is the usage for --ca-file (I assume provides custom TLS trust store).

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

--insecure is to skip the TLS cert check. Since notation is security oriented, we should not provide this functionality.

--ca-file is to specify the root CA cert to registry access. See oras-project/oras#217

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@shizhMSFT, I was thinking this would be done with the insecure registries option in config.
Does that still exist?
Seems calling --insecure is too tedious. For the scenarios/instances where https isn't supported, such as IOT environments, I just assumed the config would solve the problem and not something that's done ad-hoc requiring the cli to support it.

Copy link
Contributor

@gokarnm gokarnm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM with suggestions.

```console
notation login --help
NAME:
notation login - Provides credentials for authenticated registry operations
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
notation login - Provides credentials for authenticated registry operations
notation login - Login to a registry with credentials for authenticated registry operations

certificate, cert Manage certificates used for verification
key Manage keys used for signing
list, ls List signatures from remote
login Provide credentials for authenticated registry operations
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
login Provide credentials for authenticated registry operations
login Login to a registry with credentials for authenticated registry operations

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Saying login, where the parameter says login feels redundant. I was just trying to find a synonym verb.

Comment on lines 143 to 144
--username value, -u value Username for registry operations
--password value, -p value Password for registry operations
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
--username value, -u value Username for registry operations
--password value, -p value Password for registry operations
--username value, -u value Username for registry authentication
--password value, -p value Password for registry authentication

Comment on lines 143 to 144
--username value, -u value Username for registry operations
--password value, -p value Password for registry operations
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we also support --password-stdin like docker cli does?

<server> The registry URL for authentication

GLOBAL ARGUMENTS
--plain-http Registry access via plain HTTP (default: false)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@shizhMSFT, what is --insecure used for, and how common is the usage for --ca-file (I assume provides custom TLS trust store).

…mands

Signed-off-by: Steve Lasker <stevenlasker@hotmail.com>
@SteveLasker
Copy link
Contributor Author

I've updated the PR to:

  • add $NOTATION_USERNAME, $NOTATION_PASSWORD on notation login
  • Removed -u -p from other commands, streamlinging so users can benefit from existing cred stores, not having to provide -u -p on every command. This is similar to docker push|pull where the user either does docker login, or benefits from a previously configured store.

@binbin-li binbin-li mentioned this pull request Jul 12, 2022
9 tasks
@SteveLasker SteveLasker merged commit 2212d98 into main Jul 12, 2022
@SteveLasker SteveLasker deleted the issue-119 branch July 19, 2022 15:27
7h3-3mp7y-m4n pushed a commit to 7h3-3mp7y-m4n/notation that referenced this pull request Mar 29, 2025
* notation login CLI
* Update to use environment variables and remove -u/-p on all other commands

Signed-off-by: Steve Lasker <stevenlasker@hotmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants