Project

Profile

Help

Story #8101

As a user I can manage access to my push container repositores

Added by ipanova@redhat.com about 2 months ago. Updated 25 days ago.

Status:
CLOSED - CURRENTRELEASE
Priority:
Normal
Sprint/Milestone:
Start date:
Due date:
% Done:

100%

Estimated time:
Platform Release:
Groomed:
No
Sprint Candidate:
No
Tags:
Sprint:
Sprint 89
Quarter:

Description

  • When performing podman push to repoA- create 2 groups RepoAAdmin, RepoACollaborator
  • Create permission sets for the groups on creation. Admin has pull/push/delete, Collaborator can pull/push
  • Add creator of the repo to the groups

This will enable the creator of the registry repos to later on to manage access to his repos by adding/removing users/groups from RepoAAdmin, RepoACollaborator groups

Associated revisions

Revision 9e5d1717 View on GitHub
Added by dkliban@redhat.com 29 days ago

Adds granular permissions for push repositories

The RegistryAccessPolicy is a combination of AccessPolicies for ContainerNamespace, ContainerDistribution, and ContainerPushRepository viewsets.

The default policy requires users to have "container.add_containernamespace" and "container.add_containerdistribution" permissions in order to push a new repository into a new namespace. The permissions also enable user to use the Pulp API to create a namespace and distribution.

The ContainerNamespaceViewset provides a create_namespace_group() function that can be used to assign permissions to a group of users. The default permission assignment for a namespace creates three groups Owners, Collaborators, and Consumers.

Namespace Owners get the following permissions:

 "container.view_containernamespace",
 "container.delete_containernamespace",
 "container.namespace_add_containerdistribution",
 "container.namespace_delete_containerdistribution",
 "container.namespace_view_containerdistribution",
 "container.namespace_pull_containerdistribution",
 "container.namespace_push_containerdistribution",
 "container.namespace_change_containerdistribution",
 "container.namespace_view_containerpushrepository",
 "container.namespace_modify_content_containerpushrepository"

Namespace Collaborators get the following permissions:

 "container.view_containernamespace",
 "container.namespace_add_containerdistribution",
 "container.namespace_delete_containerdistribution",
 "container.namespace_view_containerdistribution",
 "container.namespace_pull_containerdistribution",
 "container.namespace_push_containerdistribution",
 "container.namespace_change_containerdistribution",
 "container.namespace_view_containerpushrepository",
 "container.namespace_modify_content_containerpushrepository"

Namespace Consumers get the following permissions:

 "container.view_containernamespace",
 "container.namespace_view_containerdistribution",
 "container.namespace_pull_containerdistribution",
 "container.namespace_view_containerpushrepository",

The ContainerDistributionsViewset provides a create_distribution_group() function that can be used to assign permissions to a group of users. The default permission assignment for a newly created ContainerDistribution consists of three groups: Owners, Collaborators, and Consumers.

ContainerDistribution Owners get the following permissions:

 "container.view_containerdistribution",
 "container.pull_containerdistribution",
 "container.push_containerdistribution",
 "container.delete_containerdistribution",
 "container.change_containerdistribution",
 "container.view_containerpushrepository",
 "container.modify_content_containerpushrepository"

ContainerDistribution Collaborators get the following permissions:

 "container.view_containerdistribution",
 "container.pull_containerdistribution",
 "container.push_containerdistribution",
 "container.view_containerpushrepository",
 "container.modify_content_containerpushrepository"

ContainerDistribution Consumers get the following permissions:

 "container.view_containerdistribution",
 "container.pull_containerdistribution",
 "container.view_containerpushrepository",

The ContainerPushRepositoryViewset provides an add_perms_to_distribution_group() function to assign ContainerPushRepository permissions to the groups associated with the ContainerDistribution that serves the specific ContainerPushRepository.

closes: #8101 https://pulp.plan.io/issues/8101

Revision 10e35e58 View on GitHub
Added by dkliban@redhat.com 25 days ago

Adds granular permissions for push repositories

The RegistryAccessPolicy is a combination of AccessPolicies for ContainerNamespace, ContainerDistribution, and ContainerPushRepository viewsets.

The default policy requires users to have "container.add_containernamespace" and "container.add_containerdistribution" permissions in order to push a new repository into a new namespace. The permissions also enable user to use the Pulp API to create a namespace and distribution.

The ContainerNamespaceViewset provides a create_namespace_group() function that can be used to assign permissions to a group of users. The default permission assignment for a namespace creates three groups Owners, Collaborators, and Consumers.

Namespace Owners get the following permissions:

 "container.view_containernamespace",
 "container.delete_containernamespace",
 "container.namespace_add_containerdistribution",
 "container.namespace_delete_containerdistribution",
 "container.namespace_view_containerdistribution",
 "container.namespace_pull_containerdistribution",
 "container.namespace_push_containerdistribution",
 "container.namespace_change_containerdistribution",
 "container.namespace_view_containerpushrepository",
 "container.namespace_modify_content_containerpushrepository"

Namespace Collaborators get the following permissions:

 "container.view_containernamespace",
 "container.namespace_add_containerdistribution",
 "container.namespace_delete_containerdistribution",
 "container.namespace_view_containerdistribution",
 "container.namespace_pull_containerdistribution",
 "container.namespace_push_containerdistribution",
 "container.namespace_change_containerdistribution",
 "container.namespace_view_containerpushrepository",
 "container.namespace_modify_content_containerpushrepository"

Namespace Consumers get the following permissions:

 "container.view_containernamespace",
 "container.namespace_view_containerdistribution",
 "container.namespace_pull_containerdistribution",
 "container.namespace_view_containerpushrepository",

The ContainerDistributionsViewset provides a create_distribution_group() function that can be used to assign permissions to a group of users. The default permission assignment for a newly created ContainerDistribution consists of three groups: Owners, Collaborators, and Consumers.

ContainerDistribution Owners get the following permissions:

 "container.view_containerdistribution",
 "container.pull_containerdistribution",
 "container.push_containerdistribution",
 "container.delete_containerdistribution",
 "container.change_containerdistribution",
 "container.view_containerpushrepository",
 "container.modify_content_containerpushrepository"

ContainerDistribution Collaborators get the following permissions:

 "container.view_containerdistribution",
 "container.pull_containerdistribution",
 "container.push_containerdistribution",
 "container.view_containerpushrepository",
 "container.modify_content_containerpushrepository"

ContainerDistribution Consumers get the following permissions:

 "container.view_containerdistribution",
 "container.pull_containerdistribution",
 "container.view_containerpushrepository",

The ContainerPushRepositoryViewset provides an add_perms_to_distribution_group() function to assign ContainerPushRepository permissions to the groups associated with the ContainerDistribution that serves the specific ContainerPushRepository.

closes: #8101 https://pulp.plan.io/issues/8101

Revision 6d57a188 View on GitHub
Added by dkliban@redhat.com 25 days ago

Adds granular permissions for push repositories

The RegistryAccessPolicy is a combination of AccessPolicies for ContainerNamespace, ContainerDistribution, and ContainerPushRepository viewsets.

The default policy requires users to have "container.add_containernamespace" and "container.add_containerdistribution" permissions in order to push a new repository into a new namespace. The permissions also enable user to use the Pulp API to create a namespace and distribution.

The ContainerNamespaceViewset provides a create_namespace_group() function that can be used to assign permissions to a group of users. The default permission assignment for a namespace creates three groups Owners, Collaborators, and Consumers.

Namespace Owners get the following permissions:

 "container.view_containernamespace",
 "container.delete_containernamespace",
 "container.namespace_add_containerdistribution",
 "container.namespace_delete_containerdistribution",
 "container.namespace_view_containerdistribution",
 "container.namespace_pull_containerdistribution",
 "container.namespace_push_containerdistribution",
 "container.namespace_change_containerdistribution",
 "container.namespace_view_containerpushrepository",
 "container.namespace_modify_content_containerpushrepository"

Namespace Collaborators get the following permissions:

 "container.view_containernamespace",
 "container.namespace_add_containerdistribution",
 "container.namespace_delete_containerdistribution",
 "container.namespace_view_containerdistribution",
 "container.namespace_pull_containerdistribution",
 "container.namespace_push_containerdistribution",
 "container.namespace_change_containerdistribution",
 "container.namespace_view_containerpushrepository",
 "container.namespace_modify_content_containerpushrepository"

Namespace Consumers get the following permissions:

 "container.view_containernamespace",
 "container.namespace_view_containerdistribution",
 "container.namespace_pull_containerdistribution",
 "container.namespace_view_containerpushrepository",

The ContainerDistributionsViewset provides a create_distribution_group() function that can be used to assign permissions to a group of users. The default permission assignment for a newly created ContainerDistribution consists of three groups: Owners, Collaborators, and Consumers.

ContainerDistribution Owners get the following permissions:

 "container.view_containerdistribution",
 "container.pull_containerdistribution",
 "container.push_containerdistribution",
 "container.delete_containerdistribution",
 "container.change_containerdistribution",
 "container.view_containerpushrepository",
 "container.modify_content_containerpushrepository"

ContainerDistribution Collaborators get the following permissions:

 "container.view_containerdistribution",
 "container.pull_containerdistribution",
 "container.push_containerdistribution",
 "container.view_containerpushrepository",
 "container.modify_content_containerpushrepository"

ContainerDistribution Consumers get the following permissions:

 "container.view_containerdistribution",
 "container.pull_containerdistribution",
 "container.view_containerpushrepository",

The ContainerPushRepositoryViewset provides an add_perms_to_distribution_group() function to assign ContainerPushRepository permissions to the groups associated with the ContainerDistribution that serves the specific ContainerPushRepository.

closes: #8101 https://pulp.plan.io/issues/8101

Revision 6d57a188 View on GitHub
Added by dkliban@redhat.com 25 days ago

Adds granular permissions for push repositories

The RegistryAccessPolicy is a combination of AccessPolicies for ContainerNamespace, ContainerDistribution, and ContainerPushRepository viewsets.

The default policy requires users to have "container.add_containernamespace" and "container.add_containerdistribution" permissions in order to push a new repository into a new namespace. The permissions also enable user to use the Pulp API to create a namespace and distribution.

The ContainerNamespaceViewset provides a create_namespace_group() function that can be used to assign permissions to a group of users. The default permission assignment for a namespace creates three groups Owners, Collaborators, and Consumers.

Namespace Owners get the following permissions:

 "container.view_containernamespace",
 "container.delete_containernamespace",
 "container.namespace_add_containerdistribution",
 "container.namespace_delete_containerdistribution",
 "container.namespace_view_containerdistribution",
 "container.namespace_pull_containerdistribution",
 "container.namespace_push_containerdistribution",
 "container.namespace_change_containerdistribution",
 "container.namespace_view_containerpushrepository",
 "container.namespace_modify_content_containerpushrepository"

Namespace Collaborators get the following permissions:

 "container.view_containernamespace",
 "container.namespace_add_containerdistribution",
 "container.namespace_delete_containerdistribution",
 "container.namespace_view_containerdistribution",
 "container.namespace_pull_containerdistribution",
 "container.namespace_push_containerdistribution",
 "container.namespace_change_containerdistribution",
 "container.namespace_view_containerpushrepository",
 "container.namespace_modify_content_containerpushrepository"

Namespace Consumers get the following permissions:

 "container.view_containernamespace",
 "container.namespace_view_containerdistribution",
 "container.namespace_pull_containerdistribution",
 "container.namespace_view_containerpushrepository",

The ContainerDistributionsViewset provides a create_distribution_group() function that can be used to assign permissions to a group of users. The default permission assignment for a newly created ContainerDistribution consists of three groups: Owners, Collaborators, and Consumers.

ContainerDistribution Owners get the following permissions:

 "container.view_containerdistribution",
 "container.pull_containerdistribution",
 "container.push_containerdistribution",
 "container.delete_containerdistribution",
 "container.change_containerdistribution",
 "container.view_containerpushrepository",
 "container.modify_content_containerpushrepository"

ContainerDistribution Collaborators get the following permissions:

 "container.view_containerdistribution",
 "container.pull_containerdistribution",
 "container.push_containerdistribution",
 "container.view_containerpushrepository",
 "container.modify_content_containerpushrepository"

ContainerDistribution Consumers get the following permissions:

 "container.view_containerdistribution",
 "container.pull_containerdistribution",
 "container.view_containerpushrepository",

The ContainerPushRepositoryViewset provides an add_perms_to_distribution_group() function to assign ContainerPushRepository permissions to the groups associated with the ContainerDistribution that serves the specific ContainerPushRepository.

closes: #8101 https://pulp.plan.io/issues/8101

History

#1 Updated by ipanova@redhat.com about 2 months ago

  • Sprint/Milestone set to 2.4.0

#2 Updated by ipanova@redhat.com about 2 months ago

  • Description updated (diff)

#3 Updated by ipanova@redhat.com about 2 months ago

  • Sprint/Milestone changed from 2.4.0 to 2.3.0

#4 Updated by ipanova@redhat.com about 2 months ago

  • Description updated (diff)
  • Assignee set to dkliban@redhat.com

#5 Updated by pulpbot about 2 months ago

  • Status changed from NEW to POST

#7 Updated by ipanova@redhat.com about 1 month ago

  • Sprint set to Sprint 88

#8 Updated by rchan about 1 month ago

  • Sprint changed from Sprint 88 to Sprint 89

#9 Updated by dkliban@redhat.com 29 days ago

  • Status changed from POST to MODIFIED
  • % Done changed from 0 to 100

#10 Updated by pulpbot 25 days ago

  • Status changed from MODIFIED to CLOSED - CURRENTRELEASE

Please register to edit this issue

Also available in: Atom PDF