Role Based Access Control

Role based access control in Pulp Container is configured using Access Policies for the following viewset_names:

  • pulp_container/namespaces

  • distributions/container/container

  • repositories/container/container-push

  • remotes/container/container

  • repositories/container/container

  • repositories/container/container-push/versions

  • repositories/container/container/versions

  • content/container/blobs

  • content/container/manifests

  • content/container/tags

This document describes the default access policies shipped with Pulp Container. Each of the above policies can be modified to achieve a different RBAC behavior.

Repositories that are created using podman push or docker push are considered public and anyone can pull the images from them. See below about creating private repositories.

Namespaces

Pulp Container namespaces allow users to reuse repository names under different context. The namespace can represent an organization, a team, or any other kind of logical grouping of container repositories. Namespaces provide a naming convention for container repositories. Repositories in the foo namespace are named foo/something and foo/something-else.

The default access policy for pulp_container/namespaces requires a user to have the container.add_containernamespace permission to create a new namespace. Alternatively a user is allowed to create a namespace that matches his username if it did not exist before. The new namespace can be created by pushing an image using podman or docker client. This same permissions allow the user of Pulp’s API to create a new namespace.

The creation of a new namespace creates three user groups that can access the namespace: Owners, Collaborators, and Consumers. The user that creates the namespace is automatically added to the Owners group.

Namespace Owners

The group name is container.namespace.owners.<namespace name>. This group has the following object permissions for the namespace:

"container.view_containernamespace"
"container.delete_containernamespace"
"container.namespace_add_containerdistribution",
"container.namespace_delete_containerdistribution
"container.namespace_view_containerdistribution"
"container.namespace_pull_containerdistribution"
"container.namespace_push_containerdistribution"
"container.namespace_change_containerdistribution"
"container.namespace_view_containerpushrepository"
"container.namespace_modify_content_containerpushrepository"

The users in the owners group have the permissions to add/remove users from all three groups associated with the namespace. They also have the ability to create, update, and delete repositories in the namespace.

In addition to being able to use the podman or docker client to manage repositories, owners can use Pulp’s API to add and remove tags in the repositories for the namespace.

Namespace Collaborators

The group name is container.namespace.collaborators.<namespace name>. This group has the following object permissions for the namespace:

"container.view_containernamespace"
"container.namespace_add_containerdistribution"
"container.namespace_delete_containerdistribution"
"container.namespace_view_containerdistribution"
"container.namespace_pull_containerdistribution"
"container.namespace_push_containerdistribution"
"container.namespace_change_containerdistribution"
"container.namespace_view_containerpushrepository"
"container.namespace_modify_content_containerpushrepository"

Users in the Collaborator group can do everything that the owners can, with the exception of deleting the namespace.

Namespace Consumers

The group name is container.namespace.consumers.<namespace name>. This group has the following object permissions for the namespace:

"container.view_containernamespace"
"container.namespace_view_containerdistribution"
"container.namespace_pull_containerdistribution"
"container.namespace_view_containerpushrepository"

Users in the Consumers group can pull from any of the repositories in the namespace. Users should only need to be added to this group if private repositories are being used. If the repository is public, then anyone can pull from the repository.

Distributions

Distributions are Pulp resources that represent URLs where repositories can be consumed. Permissions for accessing specific container repositories are described in terms of permissions to access Container Distributions. Each time a new repository is pushed using podman or docker, a Container Distribution is created. There is also a Container Push Repository created. Both of these resources can be accessed using Pulp’s API.

The creation of a new distribution creates three user groups that can access the distribution: Owners, Collaborators, and Consumers. The user that creates the distribution is automatically added to the Owners group.

Distribution Owners

The group name is container.distribution.owners.<distribution uuid>. This group has the following object permissions for the Distribution:

"container.view_containerdistribution"
"container.pull_containerdistribution"
"container.push_containerdistribution"
"container.delete_containerdistribution"
"container.change_containerdistribution"

The Owners group also has the following permissions for the Container Push Repository associated with the Distribution:

"container.view_containerpushrepository"
"container.modify_content_containerpushrepository"

The owners of a Container Distribution have the ability to update and delete the repository associated with the Distribution. They can also add/remove users from the groups associated with the distribution.

Distribution Collaborators

The group name is container.distribution.collaborators.<distribution uuid>. This group has the following object permissions for the Distribution:

"container.view_containerdistribution"
"container.pull_containerdistribution"
"container.push_containerdistribution"

The Collaborators group also has the following permissions for the Container Push Repository associated with the Distribution:

"container.view_containerpushrepository"
"container.modify_content_containerpushrepository"

Users in the Collaborator group can do everything that the owners can, with the exception of deleting the Distribution.

Distribution Consumers

The group name is container.distribution.consumers.<distribution uuid>. This group has the following object permissions for the distribution:

"container.view_containerdistribution"
"container.pull_containerdistribution"

The Consumers group also has the following permissions for the Container Push Repository associated with the Distribution:

"container.view_containerpushrepository"

Users in the Consumers group can the pull the repository. Users should only need to be added to this group if the Distribution has been configured with private=True. If the Distribution is public, then anyone can pull from the repository associated with the Distribution.

Private Repositories

A private repository can be created using Pulp’s API for Container Distributions. A distribution can be created before pushing to the repository or an existing distribution can be updated with private=True.

Users wishing to pull from a Container Distribution with private=True will require the following object level permission on the Distribution:

"container.pull_containerdistribution"

Users that wish to be able to access the distribution with Pulp’s API need the following object level permission on the Distribution:

"container.view_containerdistribution"

Users that wish to be able to access the repository associated with the distribution with Pulp’s API need the following object level permission on the Container Push Repository:

"container.view_containerpushrepository"