Story #8101
closedAs a user I can manage access to my push container repositores
Added by ipanova@redhat.com almost 4 years ago. Updated almost 4 years ago.
100%
Description
- When performing podman push to repoA- create 2 groups RepoAAdmin, RepoACollaborator
- Create permission sets for the groups on creation. Admin has pull/push/delete, Collaborator can pull/push
- Add creator of the repo to the groups
This will enable the creator of the registry repos to later on to manage access to his repos by adding/removing users/groups from RepoAAdmin, RepoACollaborator groups
Updated by ipanova@redhat.com almost 4 years ago
- Sprint/Milestone changed from 2.4.0 to 2.3.0
Updated by ipanova@redhat.com almost 4 years ago
- Description updated (diff)
- Assignee set to dkliban@redhat.com
Updated by pulpbot almost 4 years ago
- Status changed from NEW to POST
Updated by pulpbot almost 4 years ago
Added by dkliban@redhat.com almost 4 years ago
Updated by dkliban@redhat.com almost 4 years ago
- Status changed from POST to MODIFIED
- % Done changed from 0 to 100
Applied in changeset 9e5d1717d639bee02d5477e1842e27f6b3108457.
Added by dkliban@redhat.com almost 4 years ago
Revision 10e35e58 | View on GitHub
Adds granular permissions for push repositories
The RegistryAccessPolicy is a combination of AccessPolicies for ContainerNamespace, ContainerDistribution, and ContainerPushRepository viewsets.
The default policy requires users to have "container.add_containernamespace" and "container.add_containerdistribution" permissions in order to push a new repository into a new namespace. The permissions also enable user to use the Pulp API to create a namespace and distribution.
The ContainerNamespaceViewset provides a create_namespace_group() function that can be used to assign permissions to a group of users. The default permission assignment for a namespace creates three groups Owners, Collaborators, and Consumers.
Namespace Owners get the following permissions:
"container.view_containernamespace",
"container.delete_containernamespace",
"container.namespace_add_containerdistribution",
"container.namespace_delete_containerdistribution",
"container.namespace_view_containerdistribution",
"container.namespace_pull_containerdistribution",
"container.namespace_push_containerdistribution",
"container.namespace_change_containerdistribution",
"container.namespace_view_containerpushrepository",
"container.namespace_modify_content_containerpushrepository"
Namespace Collaborators get the following permissions:
"container.view_containernamespace",
"container.namespace_add_containerdistribution",
"container.namespace_delete_containerdistribution",
"container.namespace_view_containerdistribution",
"container.namespace_pull_containerdistribution",
"container.namespace_push_containerdistribution",
"container.namespace_change_containerdistribution",
"container.namespace_view_containerpushrepository",
"container.namespace_modify_content_containerpushrepository"
Namespace Consumers get the following permissions:
"container.view_containernamespace",
"container.namespace_view_containerdistribution",
"container.namespace_pull_containerdistribution",
"container.namespace_view_containerpushrepository",
The ContainerDistributionsViewset provides a create_distribution_group() function that can be used to assign permissions to a group of users. The default permission assignment for a newly created ContainerDistribution consists of three groups: Owners, Collaborators, and Consumers.
ContainerDistribution Owners get the following permissions:
"container.view_containerdistribution",
"container.pull_containerdistribution",
"container.push_containerdistribution",
"container.delete_containerdistribution",
"container.change_containerdistribution",
"container.view_containerpushrepository",
"container.modify_content_containerpushrepository"
ContainerDistribution Collaborators get the following permissions:
"container.view_containerdistribution",
"container.pull_containerdistribution",
"container.push_containerdistribution",
"container.view_containerpushrepository",
"container.modify_content_containerpushrepository"
ContainerDistribution Consumers get the following permissions:
"container.view_containerdistribution",
"container.pull_containerdistribution",
"container.view_containerpushrepository",
The ContainerPushRepositoryViewset provides an add_perms_to_distribution_group() function to assign ContainerPushRepository permissions to the groups associated with the ContainerDistribution that serves the specific ContainerPushRepository.
Added by dkliban@redhat.com almost 4 years ago
Revision 6d57a188 | View on GitHub
Adds granular permissions for push repositories
The RegistryAccessPolicy is a combination of AccessPolicies for ContainerNamespace, ContainerDistribution, and ContainerPushRepository viewsets.
The default policy requires users to have "container.add_containernamespace" and "container.add_containerdistribution" permissions in order to push a new repository into a new namespace. The permissions also enable user to use the Pulp API to create a namespace and distribution.
The ContainerNamespaceViewset provides a create_namespace_group() function that can be used to assign permissions to a group of users. The default permission assignment for a namespace creates three groups Owners, Collaborators, and Consumers.
Namespace Owners get the following permissions:
"container.view_containernamespace",
"container.delete_containernamespace",
"container.namespace_add_containerdistribution",
"container.namespace_delete_containerdistribution",
"container.namespace_view_containerdistribution",
"container.namespace_pull_containerdistribution",
"container.namespace_push_containerdistribution",
"container.namespace_change_containerdistribution",
"container.namespace_view_containerpushrepository",
"container.namespace_modify_content_containerpushrepository"
Namespace Collaborators get the following permissions:
"container.view_containernamespace",
"container.namespace_add_containerdistribution",
"container.namespace_delete_containerdistribution",
"container.namespace_view_containerdistribution",
"container.namespace_pull_containerdistribution",
"container.namespace_push_containerdistribution",
"container.namespace_change_containerdistribution",
"container.namespace_view_containerpushrepository",
"container.namespace_modify_content_containerpushrepository"
Namespace Consumers get the following permissions:
"container.view_containernamespace",
"container.namespace_view_containerdistribution",
"container.namespace_pull_containerdistribution",
"container.namespace_view_containerpushrepository",
The ContainerDistributionsViewset provides a create_distribution_group() function that can be used to assign permissions to a group of users. The default permission assignment for a newly created ContainerDistribution consists of three groups: Owners, Collaborators, and Consumers.
ContainerDistribution Owners get the following permissions:
"container.view_containerdistribution",
"container.pull_containerdistribution",
"container.push_containerdistribution",
"container.delete_containerdistribution",
"container.change_containerdistribution",
"container.view_containerpushrepository",
"container.modify_content_containerpushrepository"
ContainerDistribution Collaborators get the following permissions:
"container.view_containerdistribution",
"container.pull_containerdistribution",
"container.push_containerdistribution",
"container.view_containerpushrepository",
"container.modify_content_containerpushrepository"
ContainerDistribution Consumers get the following permissions:
"container.view_containerdistribution",
"container.pull_containerdistribution",
"container.view_containerpushrepository",
The ContainerPushRepositoryViewset provides an add_perms_to_distribution_group() function to assign ContainerPushRepository permissions to the groups associated with the ContainerDistribution that serves the specific ContainerPushRepository.
Added by dkliban@redhat.com almost 4 years ago
Revision 6d57a188 | View on GitHub
Adds granular permissions for push repositories
The RegistryAccessPolicy is a combination of AccessPolicies for ContainerNamespace, ContainerDistribution, and ContainerPushRepository viewsets.
The default policy requires users to have "container.add_containernamespace" and "container.add_containerdistribution" permissions in order to push a new repository into a new namespace. The permissions also enable user to use the Pulp API to create a namespace and distribution.
The ContainerNamespaceViewset provides a create_namespace_group() function that can be used to assign permissions to a group of users. The default permission assignment for a namespace creates three groups Owners, Collaborators, and Consumers.
Namespace Owners get the following permissions:
"container.view_containernamespace",
"container.delete_containernamespace",
"container.namespace_add_containerdistribution",
"container.namespace_delete_containerdistribution",
"container.namespace_view_containerdistribution",
"container.namespace_pull_containerdistribution",
"container.namespace_push_containerdistribution",
"container.namespace_change_containerdistribution",
"container.namespace_view_containerpushrepository",
"container.namespace_modify_content_containerpushrepository"
Namespace Collaborators get the following permissions:
"container.view_containernamespace",
"container.namespace_add_containerdistribution",
"container.namespace_delete_containerdistribution",
"container.namespace_view_containerdistribution",
"container.namespace_pull_containerdistribution",
"container.namespace_push_containerdistribution",
"container.namespace_change_containerdistribution",
"container.namespace_view_containerpushrepository",
"container.namespace_modify_content_containerpushrepository"
Namespace Consumers get the following permissions:
"container.view_containernamespace",
"container.namespace_view_containerdistribution",
"container.namespace_pull_containerdistribution",
"container.namespace_view_containerpushrepository",
The ContainerDistributionsViewset provides a create_distribution_group() function that can be used to assign permissions to a group of users. The default permission assignment for a newly created ContainerDistribution consists of three groups: Owners, Collaborators, and Consumers.
ContainerDistribution Owners get the following permissions:
"container.view_containerdistribution",
"container.pull_containerdistribution",
"container.push_containerdistribution",
"container.delete_containerdistribution",
"container.change_containerdistribution",
"container.view_containerpushrepository",
"container.modify_content_containerpushrepository"
ContainerDistribution Collaborators get the following permissions:
"container.view_containerdistribution",
"container.pull_containerdistribution",
"container.push_containerdistribution",
"container.view_containerpushrepository",
"container.modify_content_containerpushrepository"
ContainerDistribution Consumers get the following permissions:
"container.view_containerdistribution",
"container.pull_containerdistribution",
"container.view_containerpushrepository",
The ContainerPushRepositoryViewset provides an add_perms_to_distribution_group() function to assign ContainerPushRepository permissions to the groups associated with the ContainerDistribution that serves the specific ContainerPushRepository.
Updated by pulpbot almost 4 years ago
- Status changed from MODIFIED to CLOSED - CURRENTRELEASE
Adds granular permissions for push repositories
The RegistryAccessPolicy is a combination of AccessPolicies for ContainerNamespace, ContainerDistribution, and ContainerPushRepository viewsets.
The default policy requires users to have "container.add_containernamespace" and "container.add_containerdistribution" permissions in order to push a new repository into a new namespace. The permissions also enable user to use the Pulp API to create a namespace and distribution.
The ContainerNamespaceViewset provides a create_namespace_group() function that can be used to assign permissions to a group of users. The default permission assignment for a namespace creates three groups Owners, Collaborators, and Consumers.
Namespace Owners get the following permissions:
Namespace Collaborators get the following permissions:
Namespace Consumers get the following permissions:
The ContainerDistributionsViewset provides a create_distribution_group() function that can be used to assign permissions to a group of users. The default permission assignment for a newly created ContainerDistribution consists of three groups: Owners, Collaborators, and Consumers.
ContainerDistribution Owners get the following permissions:
ContainerDistribution Collaborators get the following permissions:
ContainerDistribution Consumers get the following permissions:
The ContainerPushRepositoryViewset provides an add_perms_to_distribution_group() function to assign ContainerPushRepository permissions to the groups associated with the ContainerDistribution that serves the specific ContainerPushRepository.
closes: #8101 https://pulp.plan.io/issues/8101