Project

General

Profile

Actions

Feature #8103

closed

As an admin user, I should be able to provide access control for docker pull.

Added by Partha Aji almost 10 years ago. Updated about 6 years ago.

Status:
Duplicate
Priority:
Normal
Assignee:
-
Category:
Container
Target version:
Difficulty:
medium
Triaged:
Fixed in Releases:
Found in Releases:

Description

At the present time any user can do something like
"
docker pull <FQDN>:5000/default_organization-docker_images-fedora
"
or other org/env/cv images and pull docker content. There is no mechanism to acl this based on user permissions/credentials. Need a way to address this.


Related issues 1 (0 open1 closed)

Blocks Katello - Tracker #7125: Docker Content SupportClosedDavid Davis

Actions
Actions #1

Updated by Partha Aji almost 10 years ago

Actions #2

Updated by Eric Helms almost 10 years ago

  • Tracker changed from Bug to Feature
  • Subject changed from Need a way to acl off docker pull to As an admin user, I should be able to provide access control for docker pull.
  • Translation missing: en.field_release set to 14
  • Triaged changed from No to Yes
Actions #3

Updated by Eric Helms over 9 years ago

  • Translation missing: en.field_release changed from 14 to 23
Actions #4

Updated by Daniel Lobato Garcia over 9 years ago

I don't think you can prevent this from Foreman-Docker or Katello, the idea is that the Docker host connections are restricted to the Foreman host, so that you manage operations through it. That is a way to enforce Foreman authorization.

If we have the assumption the person creating the containers have access to the Docker host, our authorization model simply wouldn't work, but we never make such an assumption. Foreman users creating regular hosts don't have to have access to the Foreman host, the bare metal or the compute resources, it's up to Foreman to decide who can do what.

Unless I misunderstood this one, can we close it?

Actions #5

Updated by Eric Helms over 9 years ago

  • Target version set to 66
Actions #6

Updated by Eric Helms over 9 years ago

  • Target version changed from 66 to 67
Actions #7

Updated by Eric Helms over 9 years ago

  • Target version changed from 67 to 68
Actions #8

Updated by Eric Helms over 9 years ago

  • Translation missing: en.field_release deleted (23)
Actions #9

Updated by Partha Aji over 9 years ago

Intent at the present time is to protect redhat content, while not necessarily the custom content. That being said the hosted does not have redhat content for docker images. This bug will be addressed at that point..

Actions #10

Updated by Eric Helms over 9 years ago

  • Target version deleted (68)
Actions #11

Updated by Eric Helms over 8 years ago

  • Translation missing: en.field_release set to 114
Actions #12

Updated by Thomas McKay over 6 years ago

  • Status changed from New to Duplicate

Will be covered by 22951

Actions #13

Updated by Thomas McKay over 6 years ago

  • Translation missing: en.field_release changed from 114 to 166
Actions

Also available in: Atom PDF