Manage users¶
Create and manage teams¶
You can extend a user’s default permissions by granting them individual permissions in other image repositories, by adding the user to a team. A team defines the permissions a set of users have for a set of repositories.
To create a new team, go to the MSR web UI, and navigate to the Organizations page. Then click the organization where you want to create the team.
Navigate to the Teams tab, click the New team button, and give the team a name.
Add users to a team¶
Once you have created a team, click the team name, to manage its settings. The first thing we need to do is add users to the team. Click the Add Member button and add users to the team.
Manage team permissions¶
The next step is to define the permissions this team has for a set of repositories. Navigate to the Repositories tab, and click the Add repository button.
Choose the repositories this team has access to, and what permission levels the team members have.
Three permission levels are available:
Permission level |
Description |
---|---|
Read only |
View repository and pull images. |
Read & Write |
View repository, pull and push images. |
Admin |
Manage repository and change its settings, pull and push images. |
Delete a team¶
If you’re an organization owner, you can delete a team in that organization. Navigate to the Team, choose the Settings tab, and click Delete.
Create and manage organizations¶
When a user creates a repository, only that user has permissions to make changes to the repository.
For team workflows, where multiple users have permissions to manage a set of common repositories, create an organization. By default, MSR has one organization called ‘docker-datacenter’, that is shared between MSR and MKE.
To create a new organization, navigate to the MSR web UI, and go to the Organizations page.
Click the New organization button, and choose a meaningful name for the organization.
Repositories owned by this organization will contain the organization name, so to pull an image from that repository, you’ll use:
docker pull <msr-domain-name>/<organization>/<repository>:<tag>
Click Save to create the organization, and then click the organization to define which users are allowed to manage this organization. These users will be able to edit the organization settings, edit all repositories owned by the organization, and define the user permissions for this organization.
For this, click the Add user button, select the users that you want to grant permissions to manage the organization, and click Save. Then change their permissions from ‘Member’ to Org Owner.
Permission levels¶
Mirantis Secure Registry allows you to define fine-grain permissions over image repositories.
Administrators¶
Users are shared across MKE and MSR. When you create a new user in Mirantis Kubernetes Engine, that user becomes available in MSR and vice versa. When you create a trusted admin in MSR, the admin has permissions to manage:
Users across MKE and MSR
MSR repositories and settings
MKE resources and settings
Team permission levels¶
With Teams you can define the repository permissions for a set of users (read, read-write, and admin).
Repository operation |
read |
read-write |
admin |
---|---|---|---|
View/browse |
x |
x |
x |
Pull |
x |
x |
x |
Push |
x |
x |
|
Start a scan |
x |
x |
|
Delete tags |
x |
x |
|
Edit description |
x |
||
Set public or private |
x |
||
Manage user access |
x |
||
Delete repository |
x |
Note
Team permissions are additive. When a user is a member of multiple teams, they have the highest permission level defined by those teams.
Overall permissions¶
Permission level |
Description |
---|---|
Anonymous or unauthenticated Users |
Can search and pull public repositories. |
Authenticated Users |
Can search and pull public repos, and create and manage their own repositories. |
Team Member |
Everything a user can do, plus the permissions granted by the team the user is a member of.. |
Organization Owner |
Can manage repositories and teams for the organization. |
Admin |
Can manage anything across MKE and MSR. |