Enable users/groups to see repositories from the catalog endpoint when they have the required permissions
The catalog endpoint (/v2/_catalog) is accessible only by administrators. We would like to enable users/groups to do that as well.
The token server will permit everyone to access the catalog endpoint. Further checks will be necessary in
CatalogView: https://github.com/pulp/pulp_container/blob/0cbe68b4a051a42203f46eb33aafabe80cbb561d/pulp_container/app/registry_api.py#L348-L358. Here, we will filter out repositories that are not viewable by an authenticated user.
Updated by lmjachky over 1 year ago
- File dynamicload.patch dynamicload.patch added
- File guardian-hardcoded.patch guardian-hardcoded.patch added
- File hardcoded.patch hardcoded.patch added
I was not able to finish the work on time; however, I came up with a few solutions that have pros and cons.
I attached some patch files (git diff) to this issue and they have the following significance:
- dynamicload.patch - The permissions are loaded from
RegistryAccessPolicythat is also used by the token server. This solution may impact the overall performance of the endpoint because it iterates through all repositories within the registry.
- hardcoded.patch - Useful only when we will not allow administrators to modify the access policy. It follows the code snippet from https://docs.pulpproject.org/pulpcore/plugins/plugin-writer/concepts/rbac/queryset_scoping.html#manually-implementing-queryset-scoping.
- guardian-hardcoded.patch - The simplest way of achieving the same result as in hardcoded.patch. It benefits from https://django-guardian.readthedocs.io/en/stable/api/guardian.mixins.html?highlight=queryset#guardian.mixins.PermissionListMixin.
In every scenario I used the permission
pull_containerdistribution. I am not sure whether this should be rather
At the moment, all authenticated users are allowed to access the catalog endpoint (the first bullet point from the previous comment is therefore fulfilled).