Unclear documentation when not using token based authentication

[simenon]

When disabling token authentication with TOKEN_AUTH_DISABLED=True, the manual at https://pulpproject.org/pulp_container/docs/admin/learn/authentication/#basic-authentication states that Basic authentication or Remote Webserver authentication is used as a default authentication method depending on a particular configuration.

Reading at Basic Authentication it says All users are permitted to pull content from the Registry without any limitations because the concept of private repositories is not adopted once token authentication is disabled. But, only users with staff permissions are allowed to push content to the Registry.

The same goes for Remote Webserver Authentication Similarly to basic authentication, all users can pull content from the Registry without limitations and only staff is allowed to push new content to the Registry.

However the below situation fails, even if the user is staff

pulp user create --username podman --password podmanpass --staff
{
  "pulp_href": "/pulp/api/v3/users/3/",
  "id": 3,
  "username": "podman",
  "first_name": "",
  "last_name": "",
  "email": "",
  "is_staff": true,
  "is_active": true,
  "date_joined": "2024-09-27T16:46:00.977241Z",
  "groups": [],
  "hidden_fields": [
    {
      "name": "password",
      "is_set": true
    }
  ]
}

pulp container namespace create --name foo
{
  "pulp_href": "/pulp/api/v3/pulp_container/namespaces/01923460-de26-7225-90ca-7a96031dc6af/",
  "pulp_created": "2024-09-27T16:46:56.550470Z",
  "pulp_last_updated": "2024-09-27T16:46:56.550480Z",
  "name": "foo"
}

pulp container namespace role add --name foo --user podman --role container.containernamespace_collaborator
{
  "users": [
    "podman"
  ],
  "groups": [],
  "role": "container.containernamespace_collaborator"
}

podman login localhost:8080 -u podman -p podmanpass
podman push localhost:8080/foo/ubi8:latest --remove-signatures
Copying blob 6d8497fe2023 [--------------------------------------] 8.0b / 202.5MiB | 4.5 KiB/s
Error: writing blob: initiating layer upload to /v2/foo/ubi8/blobs/uploads/ in localhost:8080: denied: Access to the requested resource is not authorized.

In a discussion on elements ipanova mentioned that it should be super-user and not staff. Hence making the documentation super confusing.

Suggest to clarify the documentation that it mention super-user instead of staff if not using token authentication if you want to push images to the registry

[lubosmj]

https://github.com/pulp/pulp_container/blob/1a8fe634dba25b6adacd17459da3be931e37ae74/pulp_container/app/token_verification.py#L191

[lubosmj]

Yes, we need to update the docs. Thanks for opening the issue.

• Regular users have no admin access or permissions.
• Staff users (admins) can log into the admin interface (admin UI) but have restricted permissions based on what they are explicitly assigned (when it comes to pushing content, the admins have no permissions if the token authentication is disabled).
• Superusers (a special subset of admins) have complete access and all permissions, without needing additional configuration, and are allowed to push content to Pulp.

[ipanova]

Seems like we just forgot to update the docs https://github.com/pulp/pulp_container/pull/1110/files