Problem
When TOKEN_AUTH_DISABLED=True, ContainerRegistryApiMixin.authentication_classes returns only [RegistryAuthentication], hardcoding Basic auth as the sole authentication method for all container registry API views.
This ignores any custom authentication backends configured in Django REST Framework's DEFAULT_AUTHENTICATION_CLASSES setting, which means deployments that rely on remote header-based authentication, certificate authentication, or other custom backends cannot use them for container registry operations.
Current code (pulp_container/app/registry_api.py):
@property
def authentication_classes(self):
if settings.get("TOKEN_AUTH_DISABLED", False):
return [RegistryAuthentication]
return [TokenAuthentication]Proposed fix
Include api_settings.DEFAULT_AUTHENTICATION_CLASSES alongside RegistryAuthentication when token auth is disabled:
from rest_framework.settings import api_settings # already imported
@property
def authentication_classes(self):
if settings.get("TOKEN_AUTH_DISABLED", False):
return [RegistryAuthentication, *api_settings.DEFAULT_AUTHENTICATION_CLASSES]
return [TokenAuthentication]RegistryAuthentication remains first for backwards compatibility (it extends BasicAuthentication and handles anonymous requests). The additional classes from DEFAULT_AUTHENTICATION_CLASSES are appended so DRF tries them in order if Basic auth doesn't match.
Use case
Deployments that disable token auth and use a custom authentication backend (e.g., remote header-based auth via a reverse proxy) currently cannot authenticate to the container registry API. They must maintain a downstream patch to add their auth class. This change would let them configure their backend through the standard DRF DEFAULT_AUTHENTICATION_CLASSES setting instead.
Problem
When
TOKEN_AUTH_DISABLED=True,ContainerRegistryApiMixin.authentication_classesreturns only[RegistryAuthentication], hardcoding Basic auth as the sole authentication method for all container registry API views.This ignores any custom authentication backends configured in Django REST Framework's
DEFAULT_AUTHENTICATION_CLASSESsetting, which means deployments that rely on remote header-based authentication, certificate authentication, or other custom backends cannot use them for container registry operations.Current code (
pulp_container/app/registry_api.py):Proposed fix
Include
api_settings.DEFAULT_AUTHENTICATION_CLASSESalongsideRegistryAuthenticationwhen token auth is disabled:RegistryAuthenticationremains first for backwards compatibility (it extendsBasicAuthenticationand handles anonymous requests). The additional classes fromDEFAULT_AUTHENTICATION_CLASSESare appended so DRF tries them in order if Basic auth doesn't match.Use case
Deployments that disable token auth and use a custom authentication backend (e.g., remote header-based auth via a reverse proxy) currently cannot authenticate to the container registry API. They must maintain a downstream patch to add their auth class. This change would let them configure their backend through the standard DRF
DEFAULT_AUTHENTICATION_CLASSESsetting instead.