I'm curious whether people have run their own private cargo registry, and if so, what has your experience been like?
At work, we're thinking of using a custom registry as a way to store user-submitted Rust packages that integrate into our ecosystem, so some of the things we'll want to do are:
Authentication/Authorization - you can't access/see non-public crates that don't belong to you
Search - we'll probably make a domain-specific frontend for increased usability
Webhooks/event streams - we'd want a way of knowing when new crates are published and polling a GitHub repo doesn't sound ideal
Based on the RFCs and existing documentation I don't think it'd be too hard to create our own registry, but there's no need to reinvent the wheel if a perfectly good implementation already exists.
3 Likes
Hi,
you might want to check out JFrog Artifactory. They do have support for serving a cargo registry.
However, be careful with your authorization requirements as cargo does not support downloading and publishing crates from/to a registry that requires authentication as far as I‘m aware. There is RFC in progress but nothing implemented yet and I‘ve no clue what the timings are when this might be available.
Ah, yeah it looks like your only option for auth at the moment is an all-or-nothing approach by doing git auth when cloning the registry repo.
opened 07:22PM - 12 Apr 19 UTC
C-feature-request
A-registries
With the stabilization of alternative registries in Rust 1.34, it's now possible… to connect to an alternative registry to provide an index. Since the alternative registry is a git repo, authentication can be handled in all the normal ways like SSH keypairs, git credential helpers, etc.
However, there doesn't currently seem to be a way to authenticate the downloads of the `.crate` files themselves. Once a download location is pulled from the `"dl"` key in the `config.json` provided by the index, Cargo makes a request to a URL constructed from that key. But as far as I can tell there is no way to inject any authentication information into that request. This means I need to either keep all my private `.crate` artifacts on a local LAN or behind some other security like VPN.
I've thought of a few workaround, but all seem hacky or have security concerns:
* Based on authentication with the initial index provider, inject a long random string into the returned `"dl"` URL that is time-bound and unique per user. This isn't great because it requires modifying the returned index for every user.
* ~Use git+ssh for all crate downloads and rely on keypair auth~ This actually wouldn't work because the download step requires https, http, or file URLs.
* Require a second command that syncs private registry `.crate` files to the local filesystem and then have `config.json` specify a `file://` URL. This isn't good because now syncing dependencies isn't an automatic action on `cargo build`, etc, it's a manual and forgettable step.
I think an ideal solution would extend the usage of a token obtained through `cargo login` to also be sent during crate download requests. This would need to be handled carefully so the token is only sent over secure connections and only to download URLs for the specific registry using the token.
There also seems to be a RFC for adding authentication that is still in the works.
- Feature Name: cargo_alternative_registry_auth
- Start Date: 2021-03-31
- RFC PR: rust-lang/rfcs#3139
- Tracking Issue: rust-lang/rust#0000
# Summary
Enables Cargo to include the authorization token for all API requests, crate downloads and index updates (when using HTTP) by adding a configuration option to `config.json` in the registry index.
# Motivation
Organizations need a way to securely publish and distribute internal Rust crates. The current available methods for private crate distribution are awkward: **git repos** do not work well with `cargo update` for resolving semver-compatible dependencies, and do not support the registry API. **Alternative registries** do not support private access and must be operated behind a firewall, or resort to encoding credentials in URLs.
There are many multi-protocol package managers: Artifactory, AWS CodeArtifact, Azure Artifacts, GitHub Artifacts, Google Artifact Registry, and CloudSmith. However, only CloudSmith and Artifactory support Cargo, and they resort to encoding credentials in the URL or allowing anonymous download of packages. This RFC (especially when combined with the approved http-registry RFC) will make it significantly easier to implement Cargo support on private package managers.
# Guide-level explanation
Alternative registry operators can set a new key `auth-required = true` in the registry's `config.json` file, which will cause Cargo to include the Authorization token for all API requests, crate downloads, and index updates (if over HTTP).
```json
{
"dl": "https://example.com/index/api/v1/crates",
"api": "https://example.com/",
show original
bobbbay
January 28, 2022, 6:19pm
#4
My ideal Rust workflow documents Amos' experience with private registries, in case it helps.
1 Like
system
April 28, 2022, 6:20pm
#5
This topic was automatically closed 90 days after the last reply. We invite you to open a new topic if you have further questions or comments.