Check pull access when tagging imagestreams

[liggitt]

When tagging across namespaces, a user must have pull permission on the source image stream. This means they need get access on the imagestreams/layers resource in the source namespace. The admin, edit, and system:image-puller roles all grant this permission.

[liggitt]

@smarterclayton, shouldn't we be checking pull access for an image stream layer, not just view access on the image stream object?

@deads2k for scoped usage

[liggitt]

@smarterclayton, shouldn't we be checking pull access for an image stream layer, not just view access on the image stream object?

@deads2k for scoped usage

[smarterclayton]

Haven't read through this, but to answer the question, if you can pull IS "foo", you can pull any image tagged by it. Layers shouldn't matter.

[smarterclayton]

Haven't read through this, but to answer the question, if you can pull IS "foo", you can pull any image tagged by it. Layers shouldn't matter.

[liggitt]

imagestreams/layers is what the registry checks before letting you pull that image stream

[liggitt]

imagestreams/layers is what the registry checks before letting you pull that image stream

[liggitt]

[test]

[liggitt]

[test]

[smarterclayton]

Hope this doesn't break too many people. Release note please?

[smarterclayton]

Hope this doesn't break too many people. Release note please?

[smarterclayton]

Agree with change (logically tag and pull/push are identical permissions), is there an easy test case to add?

Does this have any implications for third party clients?

[smarterclayton]

Agree with change (logically tag and pull/push are identical permissions), is there an easy test case to add?

Does this have any implications for third party clients?

[smarterclayton]

Deployments can tag images in their hook so the deployer SA needs this permission.

[smarterclayton]

Deployments can tag images in their hook so the deployer SA needs this permission.

[liggitt]

Hope this doesn't break too many people. Release note please?

The only role we have that allows someone to get imagestreams but not pull is the view role. Remind me where we're collecting release notes again?

Deployments can tag images in their hook so the deployer SA needs this permission.

This check is only done when tagging from another namespace... no deployer SA will ever automatically have a permission in another namespace.

[liggitt]

Hope this doesn't break too many people. Release note please?

The only role we have that allows someone to get imagestreams but not pull is the view role. Remind me where we're collecting release notes again?

Deployments can tag images in their hook so the deployer SA needs this permission.

This check is only done when tagging from another namespace... no deployer SA will ever automatically have a permission in another namespace.

[deads2k]

AddUserToSAR usage is correct.

[stevekuznetsov]

re[test]

[stevekuznetsov]

re[test]

[openshift-bot]

Evaluated for origin test up to 8115614

[openshift-bot]

Evaluated for origin test up to 8115614

[openshift-bot]

continuous-integration/openshift-jenkins/test SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pr_origin/7350/)

[openshift-bot]

continuous-integration/openshift-jenkins/test SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pr_origin/7350/)

[liggitt]

[merge]

[liggitt]

[merge]

[openshift-bot]

Evaluated for origin merge up to 8115614

[openshift-bot]

Evaluated for origin merge up to 8115614

[openshift-bot]

continuous-integration/openshift-jenkins/merge SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pr_origin/7350/) (Image: devenv-rhel7_4724)

[openshift-bot]

continuous-integration/openshift-jenkins/merge SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pr_origin/7350/) (Image: devenv-rhel7_4724)