[Feature] notation login

[SteveLasker]

The current notation cli supports -u / -p for each command. However, having to provide the username/password for each command is tedious at best.
Alternatively, cli commands provide a notation login -u -p type of experience where the subsequent commands can forgo having to provide the commands each time.

Ideally, this would be provided by the oras-go library, and notation just benefits from that common experience.

• auth should support encrypted storage or usernames and passwords, possibly following the docker encryption story
• not be dependent on the docker client or libraries being installed
• support basic auth flows that use cloud provider tokens for native authentication
• support 2fa cloud provider capabilities

[shizhMSFT]

Current notation CLI has only a very basic auth / credential module. This will eventually be resolved by moving to the oras-go library.

[SteveLasker]

@shizhMSFT will you be able to integrate this into RC1?
Instead of having to set NOTATION_USERNAME and NOTATION_PASSWORD, we can pickup the docker cred store.

[shizhMSFT]

Login functionalities are currently not present in oras-go. Let me estimate if it fits the RC1 plan.

[gokarnm]

@shizhMSFT were you able to look into #170, basic auth with notation sign $IMAGE -u <USERNAME> -p <PASSWORD> seems to be broken, will doing a new release with ORAS integration changes fix this issue?

[shizhMSFT]

Yes, a new release of notation should fix it.

[gokarnm]

Just clarifying, a new release of notation alpha, without any code changes should fix this issue? Some ORAS integration work was done in Jan (#150).

[shizhMSFT]

@binbin-li Could you ack this item as you are working on this?

[binbin-li]

acked

[dtzar]

Other than 2fa - it seems this work is complete and we can close this item out? @binbin-li @SteveLasker
IMO I don't think 2fa is important for now and should be tracked in a separate issue.

[SteveLasker]

If someone has tried the experience, as opposed to reviewing PRs, I'm happy to close.
The 2fa was related to cloud provider specific login scenarios. For instance, you can use az acr login to set the docker credentials for registry operations.
I believe aws has a similar thing, but implemented through a docker plug-in.

I'm not suggesting notation login is vendor/cloud aware of specific 2fa, rather we work with vendor/cloud provider logins, through the docker cred store.