Story #8068
closed
Enable users/groups to see repositories from the catalog endpoint when they have the required permissions
100%
Description
The catalog endpoint (/v2/_catalog) is accessible only by administrators. We would like to enable users/groups to do that as well.
Possible solution:
The token server will permit everyone to access the catalog endpoint. Further checks will be necessary in CatalogView: https://github.com/pulp/pulp_container/blob/0cbe68b4a051a42203f46eb33aafabe80cbb561d/pulp_container/app/registry_api.py#L348-L358. Here, we will filter out repositories that are not viewable by an authenticated user.
Files
Updated by ipanova@redhat.com over 3 years ago
- Sprint/Milestone changed from 2.3.0 to 2.4.0
Updated by ipanova@redhat.com over 3 years ago
- The content of this endpoint should not be viewable by Anonymous user
- Authed users will see only the repos they have perms for
- Admin user will see all registry repos
Updated by lmjachky about 3 years ago
- Status changed from NEW to ASSIGNED
- Assignee set to lmjachky
- Sprint set to Sprint 91
Updated by lmjachky about 3 years ago
- File dynamicload.patch dynamicload.patch added
- File guardian-hardcoded.patch guardian-hardcoded.patch added
- File hardcoded.patch hardcoded.patch added
I was not able to finish the work on time; however, I came up with a few solutions that have pros and cons.
I attached some patch files (git diff) to this issue and they have the following significance:
- dynamicload.patch - The permissions are loaded from
RegistryAccessPolicythat is also used by the token server. This solution may impact the overall performance of the endpoint because it iterates through all repositories within the registry. - hardcoded.patch - Useful only when we will not allow administrators to modify the access policy. It follows the code snippet from https://docs.pulpproject.org/pulpcore/plugins/plugin-writer/concepts/rbac/queryset_scoping.html#manually-implementing-queryset-scoping.
- guardian-hardcoded.patch - The simplest way of achieving the same result as in hardcoded.patch. It benefits from https://django-guardian.readthedocs.io/en/stable/api/guardian.mixins.html?highlight=queryset#guardian.mixins.PermissionListMixin.
In every scenario I used the permission pull/pull_containerdistribution. I am not sure whether this should be rather view_containerdistribution.
At the moment, all authenticated users are allowed to access the catalog endpoint (the first bullet point from the previous comment is therefore fulfilled).
Updated by lmjachky about 3 years ago
- Assignee changed from lmjachky to ipanova@redhat.com
Updated by lmjachky about 3 years ago
- Assignee changed from ipanova@redhat.com to lmjachky
Updated by pulpbot about 3 years ago
- Status changed from ASSIGNED to POST
Updated by ipanova@redhat.com about 3 years ago
- Sprint/Milestone changed from 2.4.0 to 2.5.0
Added by Lubos Mjachky about 3 years ago
Added by Lubos Mjachky about 3 years ago
Revision 8ca2f0e8 | View on GitHub
Filter repositories based on assigned permissions
closes #8068
Updated by Anonymous about 3 years ago
- Status changed from POST to MODIFIED
- % Done changed from 0 to 100
Applied in changeset 8ca2f0e88462f78c76423cce8af838d8d3676e85.
Updated by pulpbot about 3 years ago
- Status changed from MODIFIED to CLOSED - CURRENTRELEASE
.
Filter repositories based on assigned permissions
closes #8068