Project

Profile

Help

Story #8068

Enable users/groups to see repositories from the catalog endpoint when they have the required permissions

Added by lmjachky 9 months ago. Updated 6 months ago.

Status:
CLOSED - CURRENTRELEASE
Priority:
Normal
Assignee:
Sprint/Milestone:
Start date:
Due date:
% Done:

100%

Estimated time:
Platform Release:
Groomed:
No
Sprint Candidate:
No
Tags:
GalaxyNG
Sprint:
Sprint 93
Quarter:

Description

The catalog endpoint (/v2/_catalog) is accessible only by administrators. We would like to enable users/groups to do that as well.

Possible solution:

The token server will permit everyone to access the catalog endpoint. Further checks will be necessary in CatalogView: https://github.com/pulp/pulp_container/blob/0cbe68b4a051a42203f46eb33aafabe80cbb561d/pulp_container/app/registry_api.py#L348-L358. Here, we will filter out repositories that are not viewable by an authenticated user.

dynamicload.patch (1.88 KB) dynamicload.patch lmjachky, 03/02/2021 06:53 PM
guardian-hardcoded.patch (1.25 KB) guardian-hardcoded.patch lmjachky, 03/02/2021 06:53 PM
hardcoded.patch (992 Bytes) hardcoded.patch lmjachky, 03/02/2021 06:53 PM

Associated revisions

Revision 8ca2f0e8 View on GitHub
Added by Lubos Mjachky 7 months ago

Filter repositories based on assigned permissions

closes #8068

Revision 8ca2f0e8 View on GitHub
Added by Lubos Mjachky 7 months ago

Filter repositories based on assigned permissions

closes #8068

History

#1 Updated by ipanova@redhat.com 9 months ago

  • Sprint/Milestone changed from 2.3.0 to 2.4.0

#2 Updated by ipanova@redhat.com 9 months ago

  1. The content of this endpoint should not be viewable by Anonymous user
  2. Authed users will see only the repos they have perms for
  3. Admin user will see all registry repos

#3 Updated by ipanova@redhat.com 8 months ago

  • Tags GalaxyNG added

#4 Updated by lmjachky 8 months ago

  • Status changed from NEW to ASSIGNED
  • Assignee set to lmjachky
  • Sprint set to Sprint 91

#5 Updated by lmjachky 8 months ago

I was not able to finish the work on time; however, I came up with a few solutions that have pros and cons.

I attached some patch files (git diff) to this issue and they have the following significance:

  1. dynamicload.patch - The permissions are loaded from RegistryAccessPolicy that is also used by the token server. This solution may impact the overall performance of the endpoint because it iterates through all repositories within the registry.
  2. hardcoded.patch - Useful only when we will not allow administrators to modify the access policy. It follows the code snippet from https://docs.pulpproject.org/pulpcore/plugins/plugin-writer/concepts/rbac/queryset_scoping.html#manually-implementing-queryset-scoping.
  3. guardian-hardcoded.patch - The simplest way of achieving the same result as in hardcoded.patch. It benefits from https://django-guardian.readthedocs.io/en/stable/api/guardian.mixins.html?highlight=queryset#guardian.mixins.PermissionListMixin.

In every scenario I used the permission pull/pull_containerdistribution. I am not sure whether this should be rather view_containerdistribution.

At the moment, all authenticated users are allowed to access the catalog endpoint (the first bullet point from the previous comment is therefore fulfilled).

#6 Updated by lmjachky 8 months ago

  • Assignee changed from lmjachky to ipanova@redhat.com

#7 Updated by rchan 8 months ago

  • Sprint changed from Sprint 91 to Sprint 92

#8 Updated by lmjachky 7 months ago

  • Assignee changed from ipanova@redhat.com to lmjachky

#9 Updated by pulpbot 7 months ago

  • Status changed from ASSIGNED to POST

#10 Updated by ipanova@redhat.com 7 months ago

  • Sprint/Milestone changed from 2.4.0 to 2.5.0

#11 Updated by rchan 7 months ago

  • Sprint changed from Sprint 92 to Sprint 93

#12 Updated by Anonymous 7 months ago

  • Status changed from POST to MODIFIED
  • % Done changed from 0 to 100

#13 Updated by pulpbot 6 months ago

  • Status changed from MODIFIED to CLOSED - CURRENTRELEASE

Please register to edit this issue

Also available in: Atom PDF