Project

General

Profile

Feature #8103

As an admin user, I should be able to provide access control for docker pull.

Added by Partha Aji over 7 years ago. Updated almost 4 years ago.

Status:
Duplicate
Priority:
Normal
Assignee:
-
Category:
Container
Target version:
Difficulty:
medium
Triaged:
Bugzilla link:
Pull request:
Fixed in Releases:
Found in Releases:
Red Hat JIRA:

Description

At the present time any user can do something like
"
docker pull <FQDN>:5000/default_organization-docker_images-fedora
"
or other org/env/cv images and pull docker content. There is no mechanism to acl this based on user permissions/credentials. Need a way to address this.


Related issues

Blocks Katello - Tracker #7125: Docker Content SupportReady For Testing

History

#1 Updated by Partha Aji over 7 years ago

#2 Updated by Eric Helms over 7 years ago

  • Tracker changed from Bug to Feature
  • Subject changed from Need a way to acl off docker pull to As an admin user, I should be able to provide access control for docker pull.
  • Legacy Backlogs Release (now unused) set to 14
  • Triaged changed from No to Yes

#3 Updated by Eric Helms over 7 years ago

  • Legacy Backlogs Release (now unused) changed from 14 to 23

#4 Updated by Daniel Lobato Garcia over 7 years ago

I don't think you can prevent this from Foreman-Docker or Katello, the idea is that the Docker host connections are restricted to the Foreman host, so that you manage operations through it. That is a way to enforce Foreman authorization.

If we have the assumption the person creating the containers have access to the Docker host, our authorization model simply wouldn't work, but we never make such an assumption. Foreman users creating regular hosts don't have to have access to the Foreman host, the bare metal or the compute resources, it's up to Foreman to decide who can do what.

Unless I misunderstood this one, can we close it?

#5 Updated by Eric Helms over 7 years ago

  • Target version set to 66

#6 Updated by Eric Helms over 7 years ago

  • Target version changed from 66 to 67

#7 Updated by Eric Helms over 7 years ago

  • Target version changed from 67 to 68

#8 Updated by Eric Helms over 7 years ago

  • Legacy Backlogs Release (now unused) deleted (23)

#9 Updated by Partha Aji over 7 years ago

Intent at the present time is to protect redhat content, while not necessarily the custom content. That being said the hosted does not have redhat content for docker images. This bug will be addressed at that point..

#10 Updated by Eric Helms about 7 years ago

  • Target version deleted (68)

#11 Updated by Eric Helms over 6 years ago

  • Legacy Backlogs Release (now unused) set to 114

#12 Updated by Thomas McKay about 4 years ago

  • Status changed from New to Duplicate

Will be covered by 22951

#13 Updated by Thomas McKay about 4 years ago

  • Legacy Backlogs Release (now unused) changed from 114 to 166

Also available in: Atom PDF