Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Adds granular permissions for push repositories
The RegistryAccessPolicy is a combination of AccessPolicies for ContainerNamespace, ContainerDistribution, and ContainerPushRepository viewsets. The default policy requires users to have "container.add_containernamespace" and "container.add_containerdistribution" permissions in order to push a new repository into a new namespace. The permissions also enable user to use the Pulp API to create a namespace and distribution. The ContainerNamespaceViewset provides a create_namespace_group() function that can be used to assign permissions to a group of users. The default permission assignment for a namespace creates three groups Owners, Collaborators, and Consumers. Namespace Owners get the following permissions: "container.view_containernamespace", "container.delete_containernamespace", "container.namespace_add_containerdistribution", "container.namespace_delete_containerdistribution", "container.namespace_view_containerdistribution", "container.namespace_pull_containerdistribution", "container.namespace_push_containerdistribution", "container.namespace_change_containerdistribution", "container.namespace_view_containerpushrepository", "container.namespace_modify_content_containerpushrepository" Namespace Collaborators get the following permissions: "container.view_containernamespace", "container.namespace_add_containerdistribution", "container.namespace_delete_containerdistribution", "container.namespace_view_containerdistribution", "container.namespace_pull_containerdistribution", "container.namespace_push_containerdistribution", "container.namespace_change_containerdistribution", "container.namespace_view_containerpushrepository", "container.namespace_modify_content_containerpushrepository" Namespace Consumers get the following permissions: "container.view_containernamespace", "container.namespace_view_containerdistribution", "container.namespace_pull_containerdistribution", "container.namespace_view_containerpushrepository", The ContainerDistributionsViewset provides a create_distribution_group() function that can be used to assign permissions to a group of users. The default permission assignment for a newly created ContainerDistribution consists of three groups: Owners, Collaborators, and Consumers. ContainerDistribution Owners get the following permissions: "container.view_containerdistribution", "container.pull_containerdistribution", "container.push_containerdistribution", "container.delete_containerdistribution", "container.change_containerdistribution", "container.view_containerpushrepository", "container.modify_content_containerpushrepository" ContainerDistribution Collaborators get the following permissions: "container.view_containerdistribution", "container.pull_containerdistribution", "container.push_containerdistribution", "container.view_containerpushrepository", "container.modify_content_containerpushrepository" ContainerDistribution Consumers get the following permissions: "container.view_containerdistribution", "container.pull_containerdistribution", "container.view_containerpushrepository", The ContainerPushRepositoryViewset provides an add_perms_to_distribution_group() function to assign ContainerPushRepository permissions to the groups associated with the ContainerDistribution that serves the specific ContainerPushRepository. closes: #8101 https://pulp.plan.io/issues/8101
- Loading branch information