Permissions¶
A role is defined by one or more permissions. In this section, details of permissions used within the container plugin are discussed.
Warning
The concept of managing granular permissions is obsolete. As of release 2.11.0, the plugin uses Roles instead of separate permission classes. To migrate the customized permission classes to roles, follow the instructions shown at Migrating Permissions.
Namespaces¶
Pulp Container namespaces allow users to reuse repository names under different context. The
namespace can represent an organization, a team, or any other kind of logical grouping of container
repositories. Namespaces provide a naming convention for container repositories. Repositories in
the foo
namespace are named foo/something
and foo/something-else
.
The default access policy for pulp_container/namespaces
requires a user to have the
container.add_containernamespace
permission to create a new namespace. Alternatively a user is
allowed to create a namespace that matches his username if it did not exist before. The new
namespace can be created by pushing an image using podman
or docker
client. This same
permissions allow the user of Pulp’s API to create a new namespace.
The creation of a new namespace creates three user groups that can access the namespace: Owners, Collaborators, and Consumers. The user that creates the namespace is automatically added to the Owners group.
Namespace Owners¶
The group name is container.namespace.owners.<namespace name>
. This group has the following
object permissions for the namespace:
"container.view_containernamespace"
"container.delete_containernamespace"
"container.namespace_add_containerdistribution",
"container.namespace_delete_containerdistribution
"container.namespace_view_containerdistribution"
"container.namespace_pull_containerdistribution"
"container.namespace_push_containerdistribution"
"container.namespace_change_containerdistribution"
"container.namespace_view_containerpushrepository"
"container.namespace_modify_content_containerpushrepository"
The users in the owners group have the permissions to add/remove users from all three groups associated with the namespace. They also have the ability to create, update, and delete repositories in the namespace.
In addition to being able to use the podman
or docker
client to manage repositories, owners
can use Pulp’s API to add and remove tags in the repositories for the namespace.
Namespace Collaborators¶
The group name is container.namespace.collaborators.<namespace name>
. This group has the
following object permissions for the namespace:
"container.view_containernamespace"
"container.namespace_add_containerdistribution"
"container.namespace_delete_containerdistribution"
"container.namespace_view_containerdistribution"
"container.namespace_pull_containerdistribution"
"container.namespace_push_containerdistribution"
"container.namespace_change_containerdistribution"
"container.namespace_view_containerpushrepository"
"container.namespace_modify_content_containerpushrepository"
Users in the Collaborator group can do everything that the owners can, with the exception of deleting the namespace.
Namespace Consumers¶
The group name is container.namespace.consumers.<namespace name>
. This group has the following
object permissions for the namespace:
"container.view_containernamespace"
"container.namespace_view_containerdistribution"
"container.namespace_pull_containerdistribution"
"container.namespace_view_containerpushrepository"
Users in the Consumers group can pull
from any of the repositories in the namespace. Users
should only need to be added to this group if private repositories are being used. If the
repository is public, then anyone can pull
from the repository.
Distributions¶
Distributions are Pulp resources that represent URLs where repositories can be consumed.
Permissions for accessing specific container repositories are described in terms of permissions
to access Container Distributions. Each time a new repository is pushed using podman
or docker
,
a Container Distribution is created. There is also a Container Push Repository created. Both of
these resources can be accessed using Pulp’s API.
The creation of a new distribution creates three user groups that can access the distribution: Owners, Collaborators, and Consumers. The user that creates the distribution is automatically added to the Owners group.
Distribution Owners¶
The group name is container.distribution.owners.<distribution uuid>
. This group has the following
object permissions for the Distribution:
"container.view_containerdistribution"
"container.pull_containerdistribution"
"container.push_containerdistribution"
"container.delete_containerdistribution"
"container.change_containerdistribution"
The Owners group also has the following permissions for the Container Push Repository associated with the Distribution:
"container.view_containerpushrepository"
"container.modify_content_containerpushrepository"
The owners of a Container Distribution have the ability to update and delete the repository associated with the Distribution. They can also add/remove users from the groups associated with the distribution.
Distribution Collaborators¶
The group name is container.distribution.collaborators.<distribution uuid>
. This group has the
following object permissions for the Distribution:
"container.view_containerdistribution"
"container.pull_containerdistribution"
"container.push_containerdistribution"
The Collaborators group also has the following permissions for the Container Push Repository associated with the Distribution:
"container.view_containerpushrepository"
"container.modify_content_containerpushrepository"
Users in the Collaborator group can do everything that the owners can, with the exception of deleting the Distribution.
Distribution Consumers¶
The group name is container.distribution.consumers.<distribution uuid>
. This group has the following
object permissions for the distribution:
"container.view_containerdistribution"
"container.pull_containerdistribution"
The Consumers group also has the following permissions for the Container Push Repository associated with the Distribution:
"container.view_containerpushrepository"
Users in the Consumers group can the pull
the repository. Users should only need to be added to
this group if the Distribution has been configured with private=True
. If the Distribution is
public, then anyone can pull
from the repository associated with the Distribution.
Private Repositories¶
Users wishing to pull
from a Container Distribution with private=True
will require the following object level permission on the Distribution:
"container.pull_containerdistribution"
Users that wish to be able to access the distribution with Pulp’s API need the following object level permission on the Distribution:
"container.view_containerdistribution"
Users that wish to be able to access the repository associated with the distribution with Pulp’s API need the following object level permission on the Container Push Repository:
"container.view_containerpushrepository"