Story #8101
As a user I can manage access to my push container repositores
100%
Description
- When performing podman push to repoA- create 2 groups RepoAAdmin, RepoACollaborator
- Create permission sets for the groups on creation. Admin has pull/push/delete, Collaborator can pull/push
- Add creator of the repo to the groups
This will enable the creator of the registry repos to later on to manage access to his repos by adding/removing users/groups from RepoAAdmin, RepoACollaborator groups
Associated revisions
Revision 10e35e58
View on GitHub
Adds granular permissions for push repositories
The RegistryAccessPolicy is a combination of AccessPolicies for ContainerNamespace, ContainerDistribution, and ContainerPushRepository viewsets.
The default policy requires users to have "container.add_containernamespace" and "container.add_containerdistribution" permissions in order to push a new repository into a new namespace. The permissions also enable user to use the Pulp API to create a namespace and distribution.
The ContainerNamespaceViewset provides a create_namespace_group() function that can be used to assign permissions to a group of users. The default permission assignment for a namespace creates three groups Owners, Collaborators, and Consumers.
Namespace Owners get the following permissions:
"container.view_containernamespace",
"container.delete_containernamespace",
"container.namespace_add_containerdistribution",
"container.namespace_delete_containerdistribution",
"container.namespace_view_containerdistribution",
"container.namespace_pull_containerdistribution",
"container.namespace_push_containerdistribution",
"container.namespace_change_containerdistribution",
"container.namespace_view_containerpushrepository",
"container.namespace_modify_content_containerpushrepository"
Namespace Collaborators get the following permissions:
"container.view_containernamespace",
"container.namespace_add_containerdistribution",
"container.namespace_delete_containerdistribution",
"container.namespace_view_containerdistribution",
"container.namespace_pull_containerdistribution",
"container.namespace_push_containerdistribution",
"container.namespace_change_containerdistribution",
"container.namespace_view_containerpushrepository",
"container.namespace_modify_content_containerpushrepository"
Namespace Consumers get the following permissions:
"container.view_containernamespace",
"container.namespace_view_containerdistribution",
"container.namespace_pull_containerdistribution",
"container.namespace_view_containerpushrepository",
The ContainerDistributionsViewset provides a create_distribution_group() function that can be used to assign permissions to a group of users. The default permission assignment for a newly created ContainerDistribution consists of three groups: Owners, Collaborators, and Consumers.
ContainerDistribution Owners get the following permissions:
"container.view_containerdistribution",
"container.pull_containerdistribution",
"container.push_containerdistribution",
"container.delete_containerdistribution",
"container.change_containerdistribution",
"container.view_containerpushrepository",
"container.modify_content_containerpushrepository"
ContainerDistribution Collaborators get the following permissions:
"container.view_containerdistribution",
"container.pull_containerdistribution",
"container.push_containerdistribution",
"container.view_containerpushrepository",
"container.modify_content_containerpushrepository"
ContainerDistribution Consumers get the following permissions:
"container.view_containerdistribution",
"container.pull_containerdistribution",
"container.view_containerpushrepository",
The ContainerPushRepositoryViewset provides an add_perms_to_distribution_group() function to assign ContainerPushRepository permissions to the groups associated with the ContainerDistribution that serves the specific ContainerPushRepository.
Revision 6d57a188
View on GitHub
Adds granular permissions for push repositories
The RegistryAccessPolicy is a combination of AccessPolicies for ContainerNamespace, ContainerDistribution, and ContainerPushRepository viewsets.
The default policy requires users to have "container.add_containernamespace" and "container.add_containerdistribution" permissions in order to push a new repository into a new namespace. The permissions also enable user to use the Pulp API to create a namespace and distribution.
The ContainerNamespaceViewset provides a create_namespace_group() function that can be used to assign permissions to a group of users. The default permission assignment for a namespace creates three groups Owners, Collaborators, and Consumers.
Namespace Owners get the following permissions:
"container.view_containernamespace",
"container.delete_containernamespace",
"container.namespace_add_containerdistribution",
"container.namespace_delete_containerdistribution",
"container.namespace_view_containerdistribution",
"container.namespace_pull_containerdistribution",
"container.namespace_push_containerdistribution",
"container.namespace_change_containerdistribution",
"container.namespace_view_containerpushrepository",
"container.namespace_modify_content_containerpushrepository"
Namespace Collaborators get the following permissions:
"container.view_containernamespace",
"container.namespace_add_containerdistribution",
"container.namespace_delete_containerdistribution",
"container.namespace_view_containerdistribution",
"container.namespace_pull_containerdistribution",
"container.namespace_push_containerdistribution",
"container.namespace_change_containerdistribution",
"container.namespace_view_containerpushrepository",
"container.namespace_modify_content_containerpushrepository"
Namespace Consumers get the following permissions:
"container.view_containernamespace",
"container.namespace_view_containerdistribution",
"container.namespace_pull_containerdistribution",
"container.namespace_view_containerpushrepository",
The ContainerDistributionsViewset provides a create_distribution_group() function that can be used to assign permissions to a group of users. The default permission assignment for a newly created ContainerDistribution consists of three groups: Owners, Collaborators, and Consumers.
ContainerDistribution Owners get the following permissions:
"container.view_containerdistribution",
"container.pull_containerdistribution",
"container.push_containerdistribution",
"container.delete_containerdistribution",
"container.change_containerdistribution",
"container.view_containerpushrepository",
"container.modify_content_containerpushrepository"
ContainerDistribution Collaborators get the following permissions:
"container.view_containerdistribution",
"container.pull_containerdistribution",
"container.push_containerdistribution",
"container.view_containerpushrepository",
"container.modify_content_containerpushrepository"
ContainerDistribution Consumers get the following permissions:
"container.view_containerdistribution",
"container.pull_containerdistribution",
"container.view_containerpushrepository",
The ContainerPushRepositoryViewset provides an add_perms_to_distribution_group() function to assign ContainerPushRepository permissions to the groups associated with the ContainerDistribution that serves the specific ContainerPushRepository.
Revision 6d57a188
View on GitHub
Adds granular permissions for push repositories
The RegistryAccessPolicy is a combination of AccessPolicies for ContainerNamespace, ContainerDistribution, and ContainerPushRepository viewsets.
The default policy requires users to have "container.add_containernamespace" and "container.add_containerdistribution" permissions in order to push a new repository into a new namespace. The permissions also enable user to use the Pulp API to create a namespace and distribution.
The ContainerNamespaceViewset provides a create_namespace_group() function that can be used to assign permissions to a group of users. The default permission assignment for a namespace creates three groups Owners, Collaborators, and Consumers.
Namespace Owners get the following permissions:
"container.view_containernamespace",
"container.delete_containernamespace",
"container.namespace_add_containerdistribution",
"container.namespace_delete_containerdistribution",
"container.namespace_view_containerdistribution",
"container.namespace_pull_containerdistribution",
"container.namespace_push_containerdistribution",
"container.namespace_change_containerdistribution",
"container.namespace_view_containerpushrepository",
"container.namespace_modify_content_containerpushrepository"
Namespace Collaborators get the following permissions:
"container.view_containernamespace",
"container.namespace_add_containerdistribution",
"container.namespace_delete_containerdistribution",
"container.namespace_view_containerdistribution",
"container.namespace_pull_containerdistribution",
"container.namespace_push_containerdistribution",
"container.namespace_change_containerdistribution",
"container.namespace_view_containerpushrepository",
"container.namespace_modify_content_containerpushrepository"
Namespace Consumers get the following permissions:
"container.view_containernamespace",
"container.namespace_view_containerdistribution",
"container.namespace_pull_containerdistribution",
"container.namespace_view_containerpushrepository",
The ContainerDistributionsViewset provides a create_distribution_group() function that can be used to assign permissions to a group of users. The default permission assignment for a newly created ContainerDistribution consists of three groups: Owners, Collaborators, and Consumers.
ContainerDistribution Owners get the following permissions:
"container.view_containerdistribution",
"container.pull_containerdistribution",
"container.push_containerdistribution",
"container.delete_containerdistribution",
"container.change_containerdistribution",
"container.view_containerpushrepository",
"container.modify_content_containerpushrepository"
ContainerDistribution Collaborators get the following permissions:
"container.view_containerdistribution",
"container.pull_containerdistribution",
"container.push_containerdistribution",
"container.view_containerpushrepository",
"container.modify_content_containerpushrepository"
ContainerDistribution Consumers get the following permissions:
"container.view_containerdistribution",
"container.pull_containerdistribution",
"container.view_containerpushrepository",
The ContainerPushRepositoryViewset provides an add_perms_to_distribution_group() function to assign ContainerPushRepository permissions to the groups associated with the ContainerDistribution that serves the specific ContainerPushRepository.
History
#1
Updated by ipanova@redhat.com about 2 months ago
- Sprint/Milestone set to 2.4.0
#2
Updated by ipanova@redhat.com about 2 months ago
- Description updated (diff)
#3
Updated by ipanova@redhat.com about 2 months ago
- Sprint/Milestone changed from 2.4.0 to 2.3.0
#4
Updated by ipanova@redhat.com about 2 months ago
- Description updated (diff)
- Assignee set to dkliban@redhat.com
#5
Updated by pulpbot about 2 months ago
- Status changed from NEW to POST
#6
Updated by pulpbot about 2 months ago
#7
Updated by ipanova@redhat.com about 1 month ago
- Sprint set to Sprint 88
#8
Updated by rchan about 1 month ago
- Sprint changed from Sprint 88 to Sprint 89
#9
Updated by dkliban@redhat.com 29 days ago
- Status changed from POST to MODIFIED
- % Done changed from 0 to 100
Applied in changeset 9e5d1717d639bee02d5477e1842e27f6b3108457.
Please register to edit this issue
Adds granular permissions for push repositories
The RegistryAccessPolicy is a combination of AccessPolicies for ContainerNamespace, ContainerDistribution, and ContainerPushRepository viewsets.
The default policy requires users to have "container.add_containernamespace" and "container.add_containerdistribution" permissions in order to push a new repository into a new namespace. The permissions also enable user to use the Pulp API to create a namespace and distribution.
The ContainerNamespaceViewset provides a create_namespace_group() function that can be used to assign permissions to a group of users. The default permission assignment for a namespace creates three groups Owners, Collaborators, and Consumers.
Namespace Owners get the following permissions:
Namespace Collaborators get the following permissions:
Namespace Consumers get the following permissions:
The ContainerDistributionsViewset provides a create_distribution_group() function that can be used to assign permissions to a group of users. The default permission assignment for a newly created ContainerDistribution consists of three groups: Owners, Collaborators, and Consumers.
ContainerDistribution Owners get the following permissions:
ContainerDistribution Collaborators get the following permissions:
ContainerDistribution Consumers get the following permissions:
The ContainerPushRepositoryViewset provides an add_perms_to_distribution_group() function to assign ContainerPushRepository permissions to the groups associated with the ContainerDistribution that serves the specific ContainerPushRepository.
closes: #8101 https://pulp.plan.io/issues/8101