Project

Profile

Help

Actions
Send by e-mail Copy link

Story #8101

closed

As a user I can manage access to my push container repositores

Added by ipanova@redhat.com over 3 years ago. Updated about 3 years ago.

Status:
CLOSED - CURRENTRELEASE
Priority:
Normal
Assignee:
dkliban@redhat.com
Sprint/Milestone:
2.3.0
Start date:
Due date:
% Done:

100%

Estimated time:
Platform Release:
Groomed:
No
Sprint Candidate:
No
Tags:
Sprint:
Sprint 89
Quarter:

Description

  • When performing podman push to repoA- create 2 groups RepoAAdmin, RepoACollaborator
  • Create permission sets for the groups on creation. Admin has pull/push/delete, Collaborator can pull/push
  • Add creator of the repo to the groups

This will enable the creator of the registry repos to later on to manage access to his repos by adding/removing users/groups from RepoAAdmin, RepoACollaborator groups

Actions
Copy link
 #1

Updated by ipanova@redhat.com over 3 years ago

  • Sprint/Milestone set to 2.4.0
Actions
Copy link
 #2

Updated by ipanova@redhat.com over 3 years ago

  • Description updated (diff)
Actions
Copy link
 #3

Updated by ipanova@redhat.com over 3 years ago

  • Sprint/Milestone changed from 2.4.0 to 2.3.0
Actions
Copy link
 #4

Updated by ipanova@redhat.com over 3 years ago

  • Description updated (diff)
  • Assignee set to dkliban@redhat.com
Actions
Copy link
 #5

Updated by pulpbot about 3 years ago

  • Status changed from NEW to POST
Actions
Copy link
 #7

Updated by ipanova@redhat.com about 3 years ago

  • Sprint set to Sprint 88
Actions
Copy link
 #8

Updated by rchan about 3 years ago

  • Sprint changed from Sprint 88 to Sprint 89

Added by dkliban@redhat.com about 3 years ago

Revision 9e5d1717 | View on GitHub

Adds granular permissions for push repositories

The RegistryAccessPolicy is a combination of AccessPolicies for ContainerNamespace, ContainerDistribution, and ContainerPushRepository viewsets.

The default policy requires users to have "container.add_containernamespace" and "container.add_containerdistribution" permissions in order to push a new repository into a new namespace. The permissions also enable user to use the Pulp API to create a namespace and distribution.

The ContainerNamespaceViewset provides a create_namespace_group() function that can be used to assign permissions to a group of users. The default permission assignment for a namespace creates three groups Owners, Collaborators, and Consumers.

Namespace Owners get the following permissions:

 "container.view_containernamespace",
 "container.delete_containernamespace",
 "container.namespace_add_containerdistribution",
 "container.namespace_delete_containerdistribution",
 "container.namespace_view_containerdistribution",
 "container.namespace_pull_containerdistribution",
 "container.namespace_push_containerdistribution",
 "container.namespace_change_containerdistribution",
 "container.namespace_view_containerpushrepository",
 "container.namespace_modify_content_containerpushrepository"

Namespace Collaborators get the following permissions:

 "container.view_containernamespace",
 "container.namespace_add_containerdistribution",
 "container.namespace_delete_containerdistribution",
 "container.namespace_view_containerdistribution",
 "container.namespace_pull_containerdistribution",
 "container.namespace_push_containerdistribution",
 "container.namespace_change_containerdistribution",
 "container.namespace_view_containerpushrepository",
 "container.namespace_modify_content_containerpushrepository"

Namespace Consumers get the following permissions:

 "container.view_containernamespace",
 "container.namespace_view_containerdistribution",
 "container.namespace_pull_containerdistribution",
 "container.namespace_view_containerpushrepository",

The ContainerDistributionsViewset provides a create_distribution_group() function that can be used to assign permissions to a group of users. The default permission assignment for a newly created ContainerDistribution consists of three groups: Owners, Collaborators, and Consumers.

ContainerDistribution Owners get the following permissions:

 "container.view_containerdistribution",
 "container.pull_containerdistribution",
 "container.push_containerdistribution",
 "container.delete_containerdistribution",
 "container.change_containerdistribution",
 "container.view_containerpushrepository",
 "container.modify_content_containerpushrepository"

ContainerDistribution Collaborators get the following permissions:

 "container.view_containerdistribution",
 "container.pull_containerdistribution",
 "container.push_containerdistribution",
 "container.view_containerpushrepository",
 "container.modify_content_containerpushrepository"

ContainerDistribution Consumers get the following permissions:

 "container.view_containerdistribution",
 "container.pull_containerdistribution",
 "container.view_containerpushrepository",

The ContainerPushRepositoryViewset provides an add_perms_to_distribution_group() function to assign ContainerPushRepository permissions to the groups associated with the ContainerDistribution that serves the specific ContainerPushRepository.

closes: #8101 https://pulp.plan.io/issues/8101

Actions
Copy link
 #9

Updated by dkliban@redhat.com about 3 years ago

  • Status changed from POST to MODIFIED
  • % Done changed from 0 to 100

Added by dkliban@redhat.com about 3 years ago

Revision 10e35e58 | View on GitHub

Adds granular permissions for push repositories

The RegistryAccessPolicy is a combination of AccessPolicies for ContainerNamespace, ContainerDistribution, and ContainerPushRepository viewsets.

The default policy requires users to have "container.add_containernamespace" and "container.add_containerdistribution" permissions in order to push a new repository into a new namespace. The permissions also enable user to use the Pulp API to create a namespace and distribution.

The ContainerNamespaceViewset provides a create_namespace_group() function that can be used to assign permissions to a group of users. The default permission assignment for a namespace creates three groups Owners, Collaborators, and Consumers.

Namespace Owners get the following permissions:

 "container.view_containernamespace",
 "container.delete_containernamespace",
 "container.namespace_add_containerdistribution",
 "container.namespace_delete_containerdistribution",
 "container.namespace_view_containerdistribution",
 "container.namespace_pull_containerdistribution",
 "container.namespace_push_containerdistribution",
 "container.namespace_change_containerdistribution",
 "container.namespace_view_containerpushrepository",
 "container.namespace_modify_content_containerpushrepository"

Namespace Collaborators get the following permissions:

 "container.view_containernamespace",
 "container.namespace_add_containerdistribution",
 "container.namespace_delete_containerdistribution",
 "container.namespace_view_containerdistribution",
 "container.namespace_pull_containerdistribution",
 "container.namespace_push_containerdistribution",
 "container.namespace_change_containerdistribution",
 "container.namespace_view_containerpushrepository",
 "container.namespace_modify_content_containerpushrepository"

Namespace Consumers get the following permissions:

 "container.view_containernamespace",
 "container.namespace_view_containerdistribution",
 "container.namespace_pull_containerdistribution",
 "container.namespace_view_containerpushrepository",

The ContainerDistributionsViewset provides a create_distribution_group() function that can be used to assign permissions to a group of users. The default permission assignment for a newly created ContainerDistribution consists of three groups: Owners, Collaborators, and Consumers.

ContainerDistribution Owners get the following permissions:

 "container.view_containerdistribution",
 "container.pull_containerdistribution",
 "container.push_containerdistribution",
 "container.delete_containerdistribution",
 "container.change_containerdistribution",
 "container.view_containerpushrepository",
 "container.modify_content_containerpushrepository"

ContainerDistribution Collaborators get the following permissions:

 "container.view_containerdistribution",
 "container.pull_containerdistribution",
 "container.push_containerdistribution",
 "container.view_containerpushrepository",
 "container.modify_content_containerpushrepository"

ContainerDistribution Consumers get the following permissions:

 "container.view_containerdistribution",
 "container.pull_containerdistribution",
 "container.view_containerpushrepository",

The ContainerPushRepositoryViewset provides an add_perms_to_distribution_group() function to assign ContainerPushRepository permissions to the groups associated with the ContainerDistribution that serves the specific ContainerPushRepository.

closes: #8101 https://pulp.plan.io/issues/8101

Added by dkliban@redhat.com about 3 years ago

Revision 6d57a188 | View on GitHub

Adds granular permissions for push repositories

The RegistryAccessPolicy is a combination of AccessPolicies for ContainerNamespace, ContainerDistribution, and ContainerPushRepository viewsets.

The default policy requires users to have "container.add_containernamespace" and "container.add_containerdistribution" permissions in order to push a new repository into a new namespace. The permissions also enable user to use the Pulp API to create a namespace and distribution.

The ContainerNamespaceViewset provides a create_namespace_group() function that can be used to assign permissions to a group of users. The default permission assignment for a namespace creates three groups Owners, Collaborators, and Consumers.

Namespace Owners get the following permissions:

 "container.view_containernamespace",
 "container.delete_containernamespace",
 "container.namespace_add_containerdistribution",
 "container.namespace_delete_containerdistribution",
 "container.namespace_view_containerdistribution",
 "container.namespace_pull_containerdistribution",
 "container.namespace_push_containerdistribution",
 "container.namespace_change_containerdistribution",
 "container.namespace_view_containerpushrepository",
 "container.namespace_modify_content_containerpushrepository"

Namespace Collaborators get the following permissions:

 "container.view_containernamespace",
 "container.namespace_add_containerdistribution",
 "container.namespace_delete_containerdistribution",
 "container.namespace_view_containerdistribution",
 "container.namespace_pull_containerdistribution",
 "container.namespace_push_containerdistribution",
 "container.namespace_change_containerdistribution",
 "container.namespace_view_containerpushrepository",
 "container.namespace_modify_content_containerpushrepository"

Namespace Consumers get the following permissions:

 "container.view_containernamespace",
 "container.namespace_view_containerdistribution",
 "container.namespace_pull_containerdistribution",
 "container.namespace_view_containerpushrepository",

The ContainerDistributionsViewset provides a create_distribution_group() function that can be used to assign permissions to a group of users. The default permission assignment for a newly created ContainerDistribution consists of three groups: Owners, Collaborators, and Consumers.

ContainerDistribution Owners get the following permissions:

 "container.view_containerdistribution",
 "container.pull_containerdistribution",
 "container.push_containerdistribution",
 "container.delete_containerdistribution",
 "container.change_containerdistribution",
 "container.view_containerpushrepository",
 "container.modify_content_containerpushrepository"

ContainerDistribution Collaborators get the following permissions:

 "container.view_containerdistribution",
 "container.pull_containerdistribution",
 "container.push_containerdistribution",
 "container.view_containerpushrepository",
 "container.modify_content_containerpushrepository"

ContainerDistribution Consumers get the following permissions:

 "container.view_containerdistribution",
 "container.pull_containerdistribution",
 "container.view_containerpushrepository",

The ContainerPushRepositoryViewset provides an add_perms_to_distribution_group() function to assign ContainerPushRepository permissions to the groups associated with the ContainerDistribution that serves the specific ContainerPushRepository.

closes: #8101 https://pulp.plan.io/issues/8101

Added by dkliban@redhat.com about 3 years ago

Revision 6d57a188 | View on GitHub

Adds granular permissions for push repositories

The RegistryAccessPolicy is a combination of AccessPolicies for ContainerNamespace, ContainerDistribution, and ContainerPushRepository viewsets.

The default policy requires users to have "container.add_containernamespace" and "container.add_containerdistribution" permissions in order to push a new repository into a new namespace. The permissions also enable user to use the Pulp API to create a namespace and distribution.

The ContainerNamespaceViewset provides a create_namespace_group() function that can be used to assign permissions to a group of users. The default permission assignment for a namespace creates three groups Owners, Collaborators, and Consumers.

Namespace Owners get the following permissions:

 "container.view_containernamespace",
 "container.delete_containernamespace",
 "container.namespace_add_containerdistribution",
 "container.namespace_delete_containerdistribution",
 "container.namespace_view_containerdistribution",
 "container.namespace_pull_containerdistribution",
 "container.namespace_push_containerdistribution",
 "container.namespace_change_containerdistribution",
 "container.namespace_view_containerpushrepository",
 "container.namespace_modify_content_containerpushrepository"

Namespace Collaborators get the following permissions:

 "container.view_containernamespace",
 "container.namespace_add_containerdistribution",
 "container.namespace_delete_containerdistribution",
 "container.namespace_view_containerdistribution",
 "container.namespace_pull_containerdistribution",
 "container.namespace_push_containerdistribution",
 "container.namespace_change_containerdistribution",
 "container.namespace_view_containerpushrepository",
 "container.namespace_modify_content_containerpushrepository"

Namespace Consumers get the following permissions:

 "container.view_containernamespace",
 "container.namespace_view_containerdistribution",
 "container.namespace_pull_containerdistribution",
 "container.namespace_view_containerpushrepository",

The ContainerDistributionsViewset provides a create_distribution_group() function that can be used to assign permissions to a group of users. The default permission assignment for a newly created ContainerDistribution consists of three groups: Owners, Collaborators, and Consumers.

ContainerDistribution Owners get the following permissions:

 "container.view_containerdistribution",
 "container.pull_containerdistribution",
 "container.push_containerdistribution",
 "container.delete_containerdistribution",
 "container.change_containerdistribution",
 "container.view_containerpushrepository",
 "container.modify_content_containerpushrepository"

ContainerDistribution Collaborators get the following permissions:

 "container.view_containerdistribution",
 "container.pull_containerdistribution",
 "container.push_containerdistribution",
 "container.view_containerpushrepository",
 "container.modify_content_containerpushrepository"

ContainerDistribution Consumers get the following permissions:

 "container.view_containerdistribution",
 "container.pull_containerdistribution",
 "container.view_containerpushrepository",

The ContainerPushRepositoryViewset provides an add_perms_to_distribution_group() function to assign ContainerPushRepository permissions to the groups associated with the ContainerDistribution that serves the specific ContainerPushRepository.

closes: #8101 https://pulp.plan.io/issues/8101

Actions
Copy link
 #10

Updated by pulpbot about 3 years ago

  • Status changed from MODIFIED to CLOSED - CURRENTRELEASE
Actions
Send by e-mail Copy link

Also available in: Atom PDF