Project

Profile

Help

Story #8068

closed

Enable users/groups to see repositories from the catalog endpoint when they have the required permissions

Added by lmjachky over 1 year ago. Updated over 1 year ago.

Status:
CLOSED - CURRENTRELEASE
Priority:
Normal
Assignee:
Sprint/Milestone:
Start date:
Due date:
% Done:

100%

Estimated time:
Platform Release:
Groomed:
No
Sprint Candidate:
No
Tags:
GalaxyNG
Sprint:
Sprint 93
Quarter:

Description

The catalog endpoint (/v2/_catalog) is accessible only by administrators. We would like to enable users/groups to do that as well.

Possible solution:

The token server will permit everyone to access the catalog endpoint. Further checks will be necessary in CatalogView: https://github.com/pulp/pulp_container/blob/0cbe68b4a051a42203f46eb33aafabe80cbb561d/pulp_container/app/registry_api.py#L348-L358. Here, we will filter out repositories that are not viewable by an authenticated user.


Files

dynamicload.patch (1.88 KB) dynamicload.patch lmjachky, 03/02/2021 06:53 PM
guardian-hardcoded.patch (1.25 KB) guardian-hardcoded.patch lmjachky, 03/02/2021 06:53 PM
hardcoded.patch (992 Bytes) hardcoded.patch lmjachky, 03/02/2021 06:53 PM
Actions #1

Updated by ipanova@redhat.com over 1 year ago

  • Sprint/Milestone changed from 2.3.0 to 2.4.0
Actions #2

Updated by ipanova@redhat.com over 1 year ago

  1. The content of this endpoint should not be viewable by Anonymous user
  2. Authed users will see only the repos they have perms for
  3. Admin user will see all registry repos
Actions #3

Updated by ipanova@redhat.com over 1 year ago

  • Tags GalaxyNG added
Actions #4

Updated by lmjachky over 1 year ago

  • Status changed from NEW to ASSIGNED
  • Assignee set to lmjachky
  • Sprint set to Sprint 91
Actions #5

Updated by lmjachky over 1 year ago

I was not able to finish the work on time; however, I came up with a few solutions that have pros and cons.

I attached some patch files (git diff) to this issue and they have the following significance:

  1. dynamicload.patch - The permissions are loaded from RegistryAccessPolicy that is also used by the token server. This solution may impact the overall performance of the endpoint because it iterates through all repositories within the registry.
  2. hardcoded.patch - Useful only when we will not allow administrators to modify the access policy. It follows the code snippet from https://docs.pulpproject.org/pulpcore/plugins/plugin-writer/concepts/rbac/queryset_scoping.html#manually-implementing-queryset-scoping.
  3. guardian-hardcoded.patch - The simplest way of achieving the same result as in hardcoded.patch. It benefits from https://django-guardian.readthedocs.io/en/stable/api/guardian.mixins.html?highlight=queryset#guardian.mixins.PermissionListMixin.

In every scenario I used the permission pull/pull_containerdistribution. I am not sure whether this should be rather view_containerdistribution.

At the moment, all authenticated users are allowed to access the catalog endpoint (the first bullet point from the previous comment is therefore fulfilled).

Actions #6

Updated by lmjachky over 1 year ago

  • Assignee changed from lmjachky to ipanova@redhat.com
Actions #7

Updated by rchan over 1 year ago

  • Sprint changed from Sprint 91 to Sprint 92
Actions #8

Updated by lmjachky over 1 year ago

  • Assignee changed from ipanova@redhat.com to lmjachky
Actions #9

Updated by pulpbot over 1 year ago

  • Status changed from ASSIGNED to POST
Actions #10

Updated by ipanova@redhat.com over 1 year ago

  • Sprint/Milestone changed from 2.4.0 to 2.5.0
Actions #11

Updated by rchan over 1 year ago

  • Sprint changed from Sprint 92 to Sprint 93

Added by Lubos Mjachky over 1 year ago

Revision 8ca2f0e8

Filter repositories based on assigned permissions

closes #8068

Added by Lubos Mjachky over 1 year ago

Revision 8ca2f0e8

Filter repositories based on assigned permissions

closes #8068

Actions #12

Updated by Anonymous over 1 year ago

  • Status changed from POST to MODIFIED
  • % Done changed from 0 to 100
Actions #13

Updated by pulpbot over 1 year ago

  • Status changed from MODIFIED to CLOSED - CURRENTRELEASE

Also available in: Atom PDF