Container pull permission

UnixSH · July 25, 2024, 9:03am

I’m new with pulp and I got some issues to understand the documentation and make it work as I want.

I would like to push my images to the registry and make some private, but I understand that pushing them from a client make them public right away, even if I update the distribution as private.

Do I miss something ? What is the best approach to do what I want ?

x9c4 · July 25, 2024, 6:54am

Making the distribution private should exactly restrict pull access to users with the corresponding consumer role.
What we suggest however is to precreate the repository and distribution in a private state so that there is no information leaked before you can close the window.

Maybe caching is getting in the way here. Can you try killing the redis process and see if that resolves the access question?

UnixSH · July 25, 2024, 7:17am

The thing is I don’t want unloggued users to be able to pull the images, so they don’t have associated consumer role. I’ve killed the redis process, but I’m still able to pull these images.

UnixSH · July 25, 2024, 8:22am

I just tried to precreate the repository and distribution, but I’m facing now a read-only repository error when pushing from podman.

lubosmj · July 25, 2024, 12:05pm

Let me correct one thing about pre-creating the repository (an entity that stores content). We do not allow pre-creating a repository that is used for pushing images. You can create only a distribution (an entity that makes the content available for consumption) in advance, optionally, mark it private and once you push an image to it, a repository will be automatically created and attached to it.

Now, the following question stands out. Do you have token authentication enabled? If not, the private attribute will be ignored by Pulp, see the second paragraph at Authentication - Pulp Project. I tested this locally. It works.

I identified 2 action items on our side:

Add a note about the private flag with regard to disabled token authentication at Role-based Access Control - Pulp Project. It is not very transparent how we document the behaviour.
Add an option to the namespace to be also private. This could allow us to create just a namespace in advance, lock it for specific users, and permit the consumption from the namespace accordingly.

Do you know what else we could do to make your experience better?

lubosmj · July 25, 2024, 8:35am

When having private distributions, the following roles might be considered:

container.containerdistribution_collaborator
container.containernamespace_collaborator

I have just opened a new issue on GH that considers updating the RBAC documentation: RBAC documentation talks about groups instead of roles · Issue #1715 · pulp/pulp_container · GitHub. Please, bear with us!

lubosmj · July 25, 2024, 8:39am

The roles can listed like so:

pulp role list --name-startswith "container." --name-contains "collaborator"

[
  {
    "pulp_href": "/pulp/api/v3/roles/0190e8dd-90a3-7033-8c32-cdc5e076c7f5/",
    "pulp_created": "2024-07-25T07:49:12.996871Z",
    "pulp_last_updated": "2024-07-25T07:49:34.155555Z",
    "name": "container.containernamespace_collaborator",
    "description": null,
    "permissions": [
      "container.namespace_add_containerdistribution",
      "container.namespace_change_containerdistribution",
      "container.namespace_change_containerpushrepository",
      "container.namespace_delete_containerdistribution",
      "container.namespace_modify_content_containerpushrepository",
      "container.namespace_modify_content_containerrepository",
      "container.namespace_pull_containerdistribution",
      "container.namespace_push_containerdistribution",
      "container.namespace_view_containerdistribution",
      "container.namespace_view_containerpushrepository",
      "container.view_containernamespace"
    ],
    "locked": true
  },
  {
    "pulp_href": "/pulp/api/v3/roles/0190e8dd-9045-7edb-b6ac-50713d57b841/",
    "pulp_created": "2024-07-25T07:49:12.902106Z",
    "pulp_last_updated": "2024-07-25T07:49:34.040704Z",
    "name": "container.containerdistribution_collaborator",
    "description": null,
    "permissions": [
      "container.pull_containerdistribution",
      "container.push_containerdistribution",
      "container.view_containerdistribution"
    ],
    "locked": true
  }
]

And, assigned like this:

pulp user role-assignment add --username "${USERNAME}" --role "${ROLE}" --object ""

UnixSH · July 25, 2024, 1:53pm

Thanks for the explanation, I’ve enabled token authentication and managed to create the repository I needed.

This is actually a improvement I thought of while installing, so it would be great to see it in future releases.

Indeed, I did spent a certain amount of time trying to figure out how to set a “token_server”. I don’t really know about this subject, so I believed at first that I had to create a token server myself, somehow. Specifying in the documentation that we can in fact use http://pulp_hostname:24817/token directly would be great, I think. If this is also something I missed in the documentation, apologies.

Again, thanks for taking the time to explain.

lubosmj · July 25, 2024, 5:42pm

You are welcome! I opened this feature request: Allow namespaces to be private · Issue #1721 · pulp/pulp_container · GitHub.

We will also need to revisit the way how we document token authentication. Or, even its purpose, because the token server was primarily designed to be deployed as a separate service, see Token Authentication Specification | CNCF Distribution.