search

project-zot / zot

zot - A scale-out production-ready vendor-neutral OCI-native container image/artifact registry (purely based on OCI Distribution Specification)
https://zotregistry.dev
Apache License 2.0
956 stars 100 forks source link

[Feat]: Add placeholder in repositories for private user / group space #1149

Open Skiepp opened 1 year ago

Skiepp commented 1 year ago

Is your feature request related to a problem? Please describe.

If I want to give a user a private space based on the username, like a private space for "bob" and "bananaJoe" I have to list all the users in the zot config file (which isn't a scalable solution):

"accessControl": {
    "bob/*": {
      "policies": [{
        "users": ["bob"],
        "actions": ["read", "create", "update"]
      }],
      "defaultPolicy": []
    },
    "bananaJoe/*": {
      "policies": [{
        "users": ["bananaJoe"],
        "actions": ["read", "create", "update"]
       }]
      "defaultPolicy": []
    }, ...
}

Describe the solution you'd like

Implement a simple placeholder mechanism for the repository name (following the very important pr 1123 for issue #983). An example configuration would be:

"accessControl": {
    "$repository/*": {                 <----
      "policies": [{
        "users": ["$repository"],      <----
        "groups": ["$repository"],
        "actions": ["read", "create", "update"]
      }],
      "defaultPolicy": []
    },
    "public/*": {
      "policies": [],
      "defaultPolicy": ["read", "create", "update"]
     }, ...
}

In the example above we have the users:

The ACL would be:

Describe alternatives you've considered

An alternative configuration would be to create two specific placeholder for user and group, for example:

"accessControl": {
    "$user/*": {               <----
      "policies": [{
        "users": ["$user"],    <----
        "actions": ["read", "create", "update"]
      }],
      "defaultPolicy": []
    },
    "$group/*": {               <----
      "policies": [{
        "groups": ["$group"],   <----
        "actions": ["read", "create", "update"]
       }]
      "defaultPolicy": []
    },
    "public/*": {
      "policies": [],
      "defaultPolicy": ["read", "create", "update"]
     }, ...
}

Additional context

No response

rchincha commented 1 year ago

Thanks @Skiepp for filing the issue. We are looking at this.

aokirisaki commented 1 year ago

We are currently working on it, but we have encountered a problem- we cannot map the names of the users directly to the names of the repositories, as the repositories' names have restrictions in what characters they can contain, which do not apply to the users.