Supported Authentication Modes

Anchore Engine Authentication Overview

Anchore Engine supports two ways for users to authenticate to the API: HTTP Basic and Bearer Tokens. HTTP Basic is always supported but Bearer token auth must be explicitly configured to be used.

For production installation, it is recommended to configure bearer tokens as well as hashed password storage in the db to ensure that no clear text password is present anywhere in the system. Because the system uses credentials for internal service-to-service communication, it is required that if hashing passwords is configured that oauth also be enabled to allow inter-service communication using service-generated tokens.

This will require providing a shared secret across all components or a pair of public/private keys. Each service must have exactly the same secret or key-pair present.

Basic Auth

By default, Anchore Engine uses HTTP Basic auth for all internal and external API operations. For production deployments with this mode, it is critical to use HTTPS to secure the communication channel between services and users. See: Configuring HTTPS for setup information.

Example Usage:

[root@4a1b1d9105a8 ~]# curl -v -u admin:foobar http://localhost:8228/v1/accounts
* About to connect() to localhost port 8228 (#0)
*   Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 8228 (#0)
* Server auth using Basic with user 'admin'
> GET /v1/accounts HTTP/1.1
> Authorization: Basic YWRtaW46Zm9vYmFy
> User-Agent: curl/7.29.0
> Host: localhost:8228
> Accept: */*
> 
< HTTP/1.1 200 OK
< Server: TwistedWeb/19.2.1
< Date: Wed, 28 Aug 2019 20:18:15 GMT
< Content-Type: application/json
< Content-Length: 195
< 
[
  {
    "created_at": "2019-08-28T07:32:39Z",
    "email": "admin@myanchore",
    "last_updated": "2019-08-28T07:32:39Z",
    "name": "admin",
    "state": "enabled",
    "type": "admin"
  }
]

Bearer Tokens/Oauth

When configured, anchore implements the Oauth2 Password grant flow. Anchore is configured with a default ‘anonymous’ client id that is used to avoid requiring registering specific clients.

Required payload, must be www-form-urlencoded:

grant_type=password
username=<user>
password=<password>
client_id=anonymous

The payload is sent using HTTP POST to the /v1/oauth/token endpoint. The returned token is valid until expiration (typically 1 hour) and is used by sending it in the Authorization header as a bearer token:

Example usage:

root@4a1b1d9105a8 ~]# curl -v -d 'grant_type=password&client_id=anonymous&username=admin&password=foobar' -X POST http://localhost:8228/v1/oauth/token
* About to connect() to localhost port 8228 (#0)
*   Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 8228 (#0)
> POST /v1/oauth/token HTTP/1.1
> User-Agent: curl/7.29.0
> Host: localhost:8228
> Accept: */*
> Content-Length: 70
> Content-Type: application/x-www-form-urlencoded
> 
* upload completely sent off: 70 out of 70 bytes
< HTTP/1.1 200 OK
< Server: TwistedWeb/19.2.1
< Date: Wed, 28 Aug 2019 20:14:32 GMT
< Content-Type: application/json
< Cache-Control: no-store
< Pragma: no-cache
< Content-Length: 332
< 
* Connection #0 to host localhost left intact
{"access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJhbmNob3JlLWVuZ2luZSIsInN1YiI6IjRhYjQ3NzczOTQ0MjRkM2RiNmY1MTczMzU1ZjE3YTZhIiwiZXhwIjoxNTY3MDI2ODcyLCJpYXQiOjE1NjcwMjMyNzIsImp0aSI6IjFmMzhjOWUwZmQ2YzQyZTJiNWRlZmU2NTU2NGU3MzE5In0.dxpW3k5OFn5_CGD2_GIeJ6KO2hWMVZqh4adoqPj8t7g", "expires_in": 3600, "token_type": "Bearer"}

root@4a1b1d9105a8 ~]# curl -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJhbmNob3JlLWVuZ2luZSIsInN1YiI6IjRhYjQ3NzczOTQ0MjRkM2RiNmY1MTczMzU1ZjE3YTZhIiwiZXhwIjoxNTY3MDI3NTEyLCJpYXQiOjE1NjcwMjM5MTIsImp0aSI6IjMzY2I1NTA1NjU3ZDRkZjBhYzY2MWE5Yjk3NWEyYjJmIn0.nQkkZ17lU_UeWVuVAt2RlLJ-mY935bP6OV3R1fBL_24" http://localhost:8228/v1/account
{
  "created_at": "2019-08-28T07:32:39Z",
  "email": "admin@myanchore",
  "last_updated": "2019-08-28T07:32:39Z",
  "name": "admin",
  "state": "enabled",
  "type": "admin"
}
[root@4a1b1d9105a8 ~]#