Roles¶
Role based access control (RBAC) is configured using access policies for the following endpoints:
pulp_container/namespacesdistributions/container/containerrepositories/container/container-pushremotes/container/containerrepositories/container/containerrepositories/container/container-push/versionsrepositories/container/container/versionscontent/container/blobscontent/container/manifestscontent/container/tags
Default Roles¶
For each endpoint, a different set of roles is defined. The roles can be assigned at the model or object level for every user or group. In the following sections, the Creator, Owner, Consumer, and Collaborator roles are introduced. The Consumer and Collaborator roles are defined only for namespaces and distributions (i.e., container repositories served by the Pulp Registry).
Creator Role¶
The Creator role contains the add permission for objects present on a particular endpoint.
For the distributions endpoint, only users with the container.add_containerdistribution
permission can create objects:
pulp role show --name "container.containerdistribution_creator"
{
"pulp_href": "/pulp/api/v3/roles/1a8555c8-3bfc-4688-81e3-5bf6fa38b9d7/",
"pulp_created": "2022-05-26T12:02:28.872667Z",
"name": "container.containerdistribution_creator",
"description": null,
"permissions": [
"container.add_containerdistribution"
],
"locked": true
}
To perform operations on an endpoint (aka ViewSet actions), a user may need to have additional permissions. One of the following conditions need to be satisfied to create a new distribution:
pulp access-policy show --viewset-name "distributions/container/container" | jq -r '.statements[] | select(.action[] | contains("create"))'
{
"action": [
"create"
],
"effect": "allow",
"condition": "has_namespace_model_perms",
"principal": "authenticated"
}
{
"action": [
"create"
],
"effect": "allow",
"condition": "has_namespace_perms:container.add_containerdistribution",
"principal": "authenticated"
}
{
"action": [
"create"
],
"effect": "allow",
"condition": "namespace_is_username",
"principal": "authenticated"
}
Note
A user with the Creator role for namespaces does not need to have any additional roles to
create distributions within the given namespaces. Similarly, the user is allowed to create
distributions within the owning username namespace (e.g., user alice can create container
repositories like alice/repo1).
Owner Role¶
The Owner role contains all of the permissions available for the associated ViewSet apart from
the add permission. For the ViewSet hosting namespaces, the set of permissions reads:
pulp role show --name "container.containernamespace_owner"
{
"pulp_href": "/pulp/api/v3/roles/1f5519f5-5b2d-47cc-b081-2f38f256740e/",
"pulp_created": "2022-05-26T12:02:28.999330Z",
"name": "container.containernamespace_owner",
"description": null,
"permissions": [
"container.delete_containernamespace",
"container.manage_roles_containernamespace",
"container.namespace_add_containerdistribution",
"container.namespace_change_containerdistribution",
"container.namespace_change_containerpushrepository",
"container.namespace_delete_containerdistribution",
"container.namespace_modify_content_containerpushrepository",
"container.namespace_pull_containerdistribution",
"container.namespace_push_containerdistribution",
"container.namespace_view_containerdistribution",
"container.namespace_view_containerpushrepository",
"container.view_containernamespace"
],
"locked": true
}
Besides the permissions for Read, Update, and Delete actions, the Owner role has the
mange_roles permission that allows the user to call the ViewSet’s add_role and
remove_role endpoints for easy management of roles around that ViewSet’s object.
The Owner role for namespaces contains permissions for any additional action that can be performed
on the related endpoints. The endpoints serving content for container clients permit access to
container distributions/repositories based on the presence of pull_containerdistribution and
push_containerdistributuion permissions.
Note
Repositories of the push type created with container clients (e.g., by running podman push)
are considered public and anyone can pull the images from them.
Consumer Role¶
The Consumer role contains only the view and pull permissions. Below, a list of associated
permissions for distributions is showcased:
pulp role show --name "container.containerdistribution_consumer"
{
"pulp_href": "/pulp/api/v3/roles/7b97928a-5d33-454f-982e-41cfe102b273/",
"pulp_created": "2022-05-26T12:02:28.945828Z",
"name": "container.containerdistribution_consumer",
"description": null,
"permissions": [
"container.pull_containerdistribution",
"container.view_containerdistribution"
],
"locked": true
}
Having the view and pull permissions allows a user to see and pull content from the Pulp
Registry. Assigning this role only at the object level allows administrators and owners to select
what the user can see.
pulp container distribution create --name "foo" --base-path "bar"
pulp user create --username "consumer"
pulp container distribution role add --name "foo" --user "consumer" --role "container.containerdistribution_consumer"
pulp user role-assignment list --username "consumer"
[
{
"pulp_href": "/pulp/api/v3/users/44/roles/6e58251d-7656-4c0d-9630-ea51ed7c29b5/",
"pulp_created": "2022-05-27T15:27:00.623004Z",
"role": "container.containerdistribution_consumer",
"content_object": "/pulp/api/v3/distributions/container/container/5b8ec13c-d578-4b3a-9b99-80986e5e00b6/"
}
]
Also, it is possible to assign the role in the following manner:
PULP_HREF=$(pulp container distribution show --name "foo" | jq -r ".pulp_href")
pulp user role-assignment add --object ${PULP_HREF} --username "consumer" --role "container.containerdistribution_consumer"
Collaborator Role¶
The Collaborator role represents a set of permissions that a co-worker working within a same user-space should have. In addition to the Consumer role, users with the Collaborator role are allowed to add (push) and modify content. The following set of permissions is evaluated for the Collaborator role for distributions:
pulp role show --name "container.containerdistribution_collaborator"
{
"pulp_href": "/pulp/api/v3/roles/933e0376-8945-489a-93a6-cafb6753f4bb/",
"pulp_created": "2022-05-26T12:02:28.924330Z",
"name": "container.containerdistribution_collaborator",
"description": null,
"permissions": [
"container.pull_containerdistribution",
"container.push_containerdistribution",
"container.view_containerdistribution"
],
"locked": true
}
pulp role show --name "container.containernamespace_collaborator"
{
"pulp_href": "/pulp/api/v3/roles/1466e614-73a7-4a58-ab36-ced0ab1a1809/",
"pulp_created": "2022-05-26T12:02:29.058226Z",
"name": "container.containernamespace_collaborator",
"description": null,
"permissions": [
"container.namespace_add_containerdistribution",
"container.namespace_change_containerdistribution",
"container.namespace_change_containerpushrepository",
"container.namespace_delete_containerdistribution",
"container.namespace_modify_content_containerpushrepository",
"container.namespace_pull_containerdistribution",
"container.namespace_push_containerdistribution",
"container.namespace_view_containerdistribution",
"container.namespace_view_containerpushrepository",
"container.view_containernamespace"
],
"locked": true
}
Customizing Roles¶
In Pulp, administrators are allowed to create or update roles. To create a role with permissions required only for syncing content, one can do the following:
pulp role create --name "container.containerrepository_syncer" \
--permission "container.view_containerrepository" \
--permission "container.view_containerremote" \
--permission "container.change_containerrepository" \
--permission "container.modify_content_containerrepository" \
--permission "container.sync_containerrepository"
pulp user role-assignment add --username "alice" --role "container.containerrepository_syncer" object ""
Customizing Access Policies¶
The plugin is shipped with default access policies that can be modified to achieve different RBAC behaviour. For instance, update creation hooks accordingly:
pulp access-policy update --viewset-name "repositories/container/container" --creation-hooks '[{"function": "add_roles_for_object_creator", "parameters": {"roles": "container.containerrepository_syncer"}}]'
Note
Access polices can be reset to their defaults using the pulp access-policy reset command.
Note
Customizing the access policy will cause any future changes to the default policies, like statement changes and bug fixes, to be ignored unless reset to the default policy.