Allow namespaces to be private

[lubosmj]

Add a private attribute to the namespace model. This could allow administrators to create just a namespace in advance, lock it for specific users, and permit the consumption from the namespace accordingly.

Some administrators do not want unauthenticated users to be able to pull the images by default.

https://discourse.pulpproject.org/t/container-pull-permission/1300

[ipanova]

I would not introduce another layer of privacy here. There is enough of flexibility to make a repo under namespace public or private + the rbac.

[lubosmj]

The issue here is that everyone can pull from a repository/distribution if it is not flagged as "private" because of this line:

pulp_container/pulp_container/app/viewsets.py

Lines 1242 to 1247 in 1075b43

	"action": ["pull"],
	"principal": "*",
	"effect": "allow",
	"condition_expression": [
	"not is_private",
	],

I was thinking about extending the "private" flag functionality to namespaces. This would allow administrators to create a protected namespace that can be initialized beforehand. Thus, only authenticated/authorized users can then pull content from it without further administrators' intervention.

[lubosmj]

Did you have something specific in your mind? Can you provide a complete example on how to prepare such a protected namespace from the administrator's perspective?

[ipanova]

Can you create instead beforehand a private distribution?

[lubosmj]

You can. But, imagine administrators doing this for 30 distributions at once instead of configuring it inside a single namespace. It is a bit cumbersome experience, is not it? This experience has been shared on the discourse thread I attached to the issue description.

[ipanova]

It is not ideal yes, but when you look from another side - where you need to selectively make public X repos public from the namespace it also brings level of inconvenience. Such level of flexibility and granularity always brings also inconveniences depending from which angle you will look.

If for the admin is important to have some distributions private, he can create those ahead. As I mentioned, I would not want to deal with situations when namespace is set to private, then another admin persona comes and makes a distribution public. First admin still thinks whole namespace is private but in reality it is not. The flag on the namespace is unreliable, because flag on the distribution overrides it.
The ultimate and single point of truth for the private/public pulls should stand on the distribution that represents the repo under the namespace

[lubosmj]

Hmm, you are right. Let this issue sit here for a while as I might think about it a bit more. I am tempted to close it.

[grzleadams]

I'm not sure why but even setting private=True for the distribution is allowing anonymous pull for us... is this working as intended, a bug, or am I missing something?

• Repository

  {                                                                                                                                                                                                                  
    "pulp_href": "/pulp/api/v3/repositories/container/container/01914704-4891-7642-b605-bc39e1e887ea/",
    "pulp_created": "2024-08-12T14:35:48.755427Z",                                                         
    "pulp_last_updated": "2024-08-12T14:35:48.803973Z",
    "versions_href": "/pulp/api/v3/repositories/container/container/01914704-4891-7642-b605-bc39e1e887ea/versions/",
    "pulp_labels": {},            
    "latest_version_href": "/pulp/api/v3/repositories/container/container/01914704-4891-7642-b605-bc39e1e887ea/versions/0/",
    "name": "container-local-mynamespace",                                                        
    "description": null,          
    "retain_repo_versions": null,                                                                          
    "remote": null,               
    "manifest_signing_service": null
  }                     
  

• Distribution

  {                                                                                                                                                                                                                  
    "pulp_created": "2024-08-12T14:37:24.905694Z",                                                                                                                                                                   
    "pulp_href": "/pulp/api/v3/distributions/container/container/01914705-c027-7809-a0d2-69270bc81ae3/",                                                                                                             
    "pulp_last_updated": "2024-08-12T14:37:24.905716Z",                                                                                                                                                              
    "pulp_labels": {},                                                                                                                                                                                               
    "content_guard": "/pulp/api/v3/contentguards/core/content_redirect/018e0a4d-6435-7171-9efa-caa9c7a279bd/",
    "name": "container-local-mynamespace",                                                        
    "hidden": false,                                                                                                                                                                                                 
    "repository": "/pulp/api/v3/repositories/container/container/01914704-4891-7642-b605-bc39e1e887ea/",                                                                                                             
    "base_path": "mynamespace",                                                                   
    "repository_version": null,                                                                                                                                                                                      
    "registry_path": "pulp.mydomain/mynamespace",                                                                                                                                           
    "remote": null,                               
    "namespace": "/pulp/api/v3/pulp_container/namespaces/01914705-bb15-7643-8a52-679bae7d9e5e/",
    "private": true,                                                                                       
    "description": null                                                                                    
  }                                     
  

• Namespace (auto-created during distribution creation)

  {                                                                                                        
    "pulp_href": "/pulp/api/v3/pulp_container/namespaces/01914705-bb15-7643-8a52-679bae7d9e5e/",
    "pulp_created": "2024-08-12T14:37:23.605751Z",                                                         
    "pulp_last_updated": "2024-08-12T14:37:23.605773Z",                                   
    "name": "mynamespace"                                                                         
  }                  
  

If an authenticated user does a push to pulp.mydomain/mynamespace/myimage:latest, unauthenticated users (i.e., no docker login pulp.mydomain) can pull pulp.mydomain/mynamespace/myimage:latest. Oddly, the image doesn't even appear in the repository:

$ pulp container repository content list --repository container-local-mynamespace
[]

Is it getting put in the default container-push repository by default? If so, why? A repository, distribution, and namespace all exist that correspond to the push, so I would expect the content to end up in the repository I created.

[grzleadams]

I should mention that I only added my above comment to this issue because it seemed directly related to namespace permissions... if you'd rather I open a new issue, just let me know.

Edit: I did see in the Discourse discussion that token auth being disabled makes Pulp ignore the RBAC, but we have TOKEN_AUTH_DISABLED = False in settings.py. So I'm not sure that's causing this.

Edit 2: I actually think I'm running into #1588 again, just from a different angle.

[grzleadams]

It is not ideal yes, but when you look from another side - where you need to selectively make public X repos public from the namespace it also brings level of inconvenience. Such level of flexibility and granularity always brings also inconveniences depending from which angle you will look.

If for the admin is important to have some distributions private, he can create those ahead. As I mentioned, I would not want to deal with situations when namespace is set to private, then another admin persona comes and makes a distribution public. First admin still thinks whole namespace is private but in reality it is not. The flag on the namespace is unreliable, because flag on the distribution overrides it. The ultimate and single point of truth for the private/public pulls should stand on the distribution that represents the repo under the namespace

For what it's worth, nested namespaces (as in #1588) would be a pretty clean solution to this problem, I think. To me, the problem is that "repository" and "distribution" refer to single images (with all their associated tags), which isn't really how people use registries. I want to be able to give a team unfettered control over some namespace while locking everyone else out (which is also what is requested in that Discourse). Then we don't have to make 30+ container images private and don't have to make the rest public.

[lubosmj]

Oddly, the image doesn't even appear in the repository:
$ pulp container repository content list --repository container-local-mynamespace
[]

The problem here is that repositories created during pushing fall into a different category. You can find them by using the --type push option when listing repositories. Though, I am unsure we implemented content listing.

[lubosmj]

If an authenticated user does a push to pulp.mydomain/mynamespace/myimage:latest, unauthenticated users (i.e., no docker login pulp.mydomain) can pull pulp.mydomain/mynamespace/myimage:latest.

Assuming you work with the same distribution as shown (i.e., having base_path equal to mynamespace), it looks like you attached a regular repository to the distribution here. Meaning that users SHOULD NOT be allowed to push content to it because the distribution serves content from the read-only repository.

https://discourse.pulpproject.org/t/pulp-container-how-are-push-repositories-supposed-to-work/1263/3?u=lubosmj

[lubosmj]

@grzleadams, once you flag a distribution as "private", users without permissions should not be allowed to pull images from it. If this is really what you experience, please, open a new ticket with a complete reproducer and the plugin version used.

[lubosmj]

@ipanova, I still think we should add this functionality. I guess it is more practical to give administrators an option to flag everything as private beforehand. Lacking the communication between the administrators might be worrisome. However, this worry can be extended to other concepts -> (1) one admin syncing repository vs another admin deleting the synced repository, (2) one admin updating distribution vs another admin reverting the update, etc.

[ipanova]

I am not against this feature extension. We just will need to make sure the flags on namespace and distribution are taken into account correctly.