Allow controlled anonymous access #279
Comments
|
This seems like a fair feature to me, but we have to be careful. First of all, how does a non-logged in user know which repos can be pulled ? I guess that you would say that a non-logged in user would get the url somehow (e.g. a logged in user passes this other user the url) and then pull it. But I'd say that it would be convenient to have the list of "open" repos somewhere accessible for non-logged in users. |
|
Yes, quite. It is the same problem that the official hub.docker.com registry has. How do you find public repos, without exposing private ones? The official registry handles it in 3 ways:
|
|
@deitch your second point hits the nail for me. I think that we should do like Docker Hub here: expose the search element even when the user is logged out. We already filter repos in the search feature, so this would work automatically when exposed for non-logged in users. Therefore:
|
|
I don't know if adding a 3rd level of access is the right choice. Why don't we add a global flag that makes 'public' namespaces readable also by users that are not logged into the registry? I also like the idea of having an "explore" feature. BTW, we have to double check registry actually allows not-logged users to complete a |
|
I would definitely utilize this feature in our use case. Actually I have created a very similar piece of software as Portus. I had more granular permission system (a pull/push permission could be given to a user or team to namespace or whole repository) and also anonymous users could browse the registry front-end and then pull the repositories, which were marked as public. In our case, this feature would be very desired due to different automated daemons (marathon+mesos), which could pull repositories without creating no special user for them (I know I can use portus user) or by hacking the raw requests. |
|
This is another feature that I'd like to see for the next release. In two steps:
I'd implement the first point for this release, and leave the second point for another time. For the first point I'm not sure how to proceed. We have these options:
@flavio I've checked registry, and you can pull without being logged in. The only thing that does not allow this from happening is Portus. However, if you want to push and you're not logged in, then Docker will ask for permissions. What do you think? |
|
@mssola I don't understand your point, I think because I don't get the alternate namespaces. I get public - open to everyone - and I get private - open to me and anyone I name as a member, depending on their access rights (pull, pull/push). What is the third value? When would we require a repo to be pulled by anyone logged in? If it is public, then I don't care who pulls it; if it is private, no one can pull except those I named. What is the use case for restricting it to anyone logged in? |
This is the current behavior of |
|
Oh, right. The way this is handled on github and docker hub is to set it to private, allow read-only access to a group named for your company, and then add users to that group. If you are running github enterprise inside your network, you can just keep it network segregated. Personally, I don't see the use for it, but I am not so narrow-minded as to believe I know all of the use cases (thankfully), and hoping I never will be! :-) |
|
Ok, after talking about it internally, we've decided that the best way to go is with the second point. This is the easiest way to go and it already provides what we need. The third option is the most flexible, but we don't have experiences with deployments with tons of users yet. Moreover, if there are tons of users in the system, other questions can be raised like: maybe adding users one by one is not the best option in this case, and we need to add members to a team in a more clever way (changing this would invalidate what I said in my previous comment). All in all, let's not anticipate and let's go for the safest option which is the second one :) |
|
My turn to disagree. I think having My $0.02 |
|
@deitch you've got a point :) So, let's go with the simpler approach (public means also for not signed-in users), and if the community requests for a "protected" approach we'll add it afterwards. |
|
To mention just one project, which uses this 3 level visibility, see Gitlab. |
Before this patch, a "public" namespace allowed pulls to any Portus user. However, it did not allow pull access to anonymous users. After this patch, the TokensController won't authenticate every user, but only those that have called the `docker login` command. From now on, it's up to each policy to allow/disallow anonymous users. In particular, the only one that allows access to anonymous users is the Namespace policy, and it only does it for pull requests. Fixes SUSE#279 Signed-off-by: Miquel Sabaté Solà <[email protected]>
|
@dohnto I'm aware that Gitlab does it :) However, it's easier for us to first give a simpler implementation and then add the "protected" visibility level later on if users request it (or if we decide that's worth giving it a shot :P). |
Before this patch, a "public" namespace allowed pulls to any Portus user. However, it did not allow pull access to anonymous users. After this patch, the TokensController won't authenticate every user, but only those that have called the `docker login` command. From now on, it's up to each policy to allow/disallow anonymous users. In particular, the only one that allows access to anonymous users is the Namespace policy, and it only does it for pull requests. Moreover, the UI toggles have now a title that tells the user that by making a namespace public, anyone will be able to pull. Fixes SUSE#279 Signed-off-by: Miquel Sabaté Solà <[email protected]>
Before this patch, a "public" namespace allowed pulls to any Portus user. However, it did not allow pull access to anonymous users. After this patch, the TokensController won't authenticate every user, but only those that have called the `docker login` command. From now on, it's up to each policy to allow/disallow anonymous users. In particular, the only one that allows access to anonymous users is the Namespace policy, and it only does it for pull requests. Moreover, the UI toggles have now a title that tells the user that by making a namespace public, anyone will be able to pull. Fixes SUSE#279 Signed-off-by: Miquel Sabaté Solà <[email protected]>
Before this patch, a "public" namespace allowed pulls to any Portus user. However, it did not allow pull access to anonymous users. After this patch, the TokensController won't authenticate every user, but only those that have called the `docker login` command. From now on, it's up to each policy to allow/disallow anonymous users. In particular, the only one that allows access to anonymous users is the Namespace policy, and it only does it for pull requests. Moreover, the UI toggles have now a title that tells the user that by making a namespace public, anyone will be able to pull. Fixes SUSE#279 Signed-off-by: Miquel Sabaté Solà <[email protected]>
|
@mssola, |
|
@diranged the original issue was to allow access to anonymous users. This is right now the behavior of There's an open issue for that: #606. It's inside of the milestone "Tentative for 2.1", which means that we will try to implement it if we've got time, otherwise it would have to wait for another release. Of course, you can step in :) The main thing is that we need to transition from the public/private policies being a boolean (both on the DB and on the UI), and implement this new policy. So, from the design point of view, I don't think there's much to discuss :) |
This is a split from #276
We want to have an option to allow anonymous pull access to a given namespace (and eventually repo). Right now we have 2 levels of access control per namespace:
We would need 3 levels
This also requires changes to the UI to control the level of openness at the namespace.
The text was updated successfully, but these errors were encountered: