toolshed/docker-cli
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

Merge pull request #20107 from calavera/client_auth_store

Browse Source 
Client credentials store.
Upstream-commit: 29ce086e38384c54f6f2d8f09578a75c4c9d9593
Component: engine
This commit is contained in:
Sebastiaan van Stijn
2016-02-29 22:31:34 +01:00
parent 017161a4fc 8a7585ce8e
commit 2180969e3a
20 changed files with 888 additions and 51 deletions
Download Patch File Download Diff File Expand all files Collapse all files

74
components/engine/docs/reference/commandline/login.md
View File

@ -38,3 +38,77 @@ credentials. When you log in, the command stores encoded credentials in
> **Note**: When running `sudo docker login` credentials are saved in `/root/.docker/config.json`.
>
## Credentials store
The Docker Engine can keep user credentials in an external credentials store,
such as the native keychain of the operating system. Using an external store
is more secure than storing credentials in the Docker configuration file.
To use a credentials store, you need an external helper program to interact
with a specific keychain or external store. Docker requires the helper
program to be in the client's host `$PATH`.
This is the list of currently available credentials helpers and where
you can download them from:
- Apple OS X keychain: https://github.com/docker/docker-credential-helpers/releases
- Microsoft Windows Credential Manager: https://github.com/docker/docker-credential-helpers/releases
### Usage
You need to speficy the credentials store in `HOME/.docker/config.json`
to tell the docker engine to use it:
```json
{
"credsStore": "osxkeychain"
}
```
If you are currently logged in, run `docker logout` to remove
the credentials from the file and run `docker login` again.
### Protocol
Credential helpers can be any program or script that follows a very simple protocol.
This protocol is heavily inspired by Git, but it differs in the information shared.
The helpers always use the first argument in the command to identify the action.
There are only three possible values for that argument: `store`, `get`, and `erase`.
The `store` command takes a JSON payload from the standard input. That payload carries
the server address, to identify the credential, the user name and the password.
This is an example of that payload:
```json
{
"ServerURL": "https://index.docker.io/v1",
"Username": "david",
"Password": "passw0rd1"
}
```
The `store` command can write error messages to `STDOUT` that the docker engine
will show if there was an issue.
The `get` command takes a string payload from the standard input. That payload carries
the server address that the docker engine needs credentials for. This is
an example of that payload: `https://index.docker.io/v1`.
The `get` command writes a JSON payload to `STDOUT`. Docker reads the user name
and password from this payload:
```json
{
"Username": "david",
"Password": "passw0rd1"
}
```
The `erase` command takes a string payload from `STDIN`. That payload carries
the server address that the docker engine wants to remove credentials for. This is
an example of that payload: `https://index.docker.io/v1`.
The `erase` command can write error messages to `STDOUT` that the docker engine
will show if there was an issue.