Manage users

Authentication and authorization in MSR

With MSR you get to control which users have access to your image repositories.

By default, anonymous users can only pull images from public repositories. They can’t create new repositories or push to existing ones. You can then grant permissions to enforce fine-grained access control to image repositories. For that:

  • Start by creating a user.

    Users are shared across MKE and MSR. When you create a new user in Docker Universal Control Plane, that user becomes available in MSR and vice versa. Registered users can create and manage their own repositories.

    You can also integrate with an LDAP service to manage users from a single place.

  • Extend the permissions by adding the user to a team.

    To extend a user’s permission and manage their permissions over repositories, you add the user to a team. A team defines the permissions users have for a set of repositories.

Note

To monitor users login events, enable the auditAuthLogsEnabled parameter in the /settings API endpoint:

curl -k -u admin:$TOKEN -X POST "https://host:port/api/v0/meta/settings" \
-H "accept: application/json" \
-H "Content-Type: application/json" \
-d "{ \"auditAuthLogsEnabled\": true}"

Organizations and teams

When a user creates a repository, only that user can make changes to the repository settings, and push new images to it.

Organizations take permission management one step further, since they allow multiple users to own and manage a common set of repositories. This is useful when implementing team workflows. With organizations you can delegate the management of a set of repositories and user permissions to the organization administrators.

An organization owns a set of repositories, and defines a set of teams. With teams you can define fine-grain permissions that a team of user has for a set of repositories.

In this example, the ‘Whale’ organization has three repositories and two teams:

  • Members of the blog team can only see and pull images from the whale/java repository,

  • Members of the billing team can manage the whale/golang repository, and push and pull images from the whale/java repository.

Create and manage teams

You can extend a user’s default permissions by granting them individual permissions in other image repositories, by adding the user to a team. A team defines the permissions a set of users have for a set of repositories.

To create a new team, go to the MSR web UI, and navigate to the Organizations page. Then click the organization where you want to create the team.

Navigate to the Teams tab, click the New team button, and give the team a name.

Add users to a team

Once you have created a team, click the team name, to manage its settings. The first thing we need to do is add users to the team. Click the Add Member button and add users to the team.

Manage team permissions

The next step is to define the permissions this team has for a set of repositories. Navigate to the Repositories tab, and click the Add repository button.

Choose the repositories this team has access to, and what permission levels the team members have.

Three permission levels are available:

Permission level

Description

Read only

View repository and pull images.

Read & Write

View repository, pull and push images.

Admin

Manage repository and change its settings, pull and push images.

Delete a team

If you’re an organization owner, you can delete a team in that organization. Navigate to the Team, choose the Settings tab, and click Delete.

Create and manage organizations

When a user creates a repository, only that user has permissions to make changes to the repository.

For team workflows, where multiple users have permissions to manage a set of common repositories, create an organization. By default, MSR has one organization called ‘docker-datacenter’, that is shared between MSR and MKE.

To create a new organization, navigate to the MSR web UI, and go to the Organizations page.

Click the New organization button, and choose a meaningful name for the organization.

Repositories owned by this organization will contain the organization name, so to pull an image from that repository, you’ll use:

docker pull <msr-domain-name>/<organization>/<repository>:<tag>

Click Save to create the organization, and then click the organization to define which users are allowed to manage this organization. These users will be able to edit the organization settings, edit all repositories owned by the organization, and define the user permissions for this organization.

For this, click the Add user button, select the users that you want to grant permissions to manage the organization, and click Save. Then change their permissions from ‘Member’ to Org Owner.

Permission levels

Mirantis Secure Registry allows you to define fine-grain permissions over image repositories.

Administrators

Users are shared across MKE and MSR. When you create a new user in Mirantis Kubernetes Engine, that user becomes available in MSR and vice versa. When you create a trusted admin in MSR, the admin has permissions to manage:

  • Users across MKE and MSR

  • MSR repositories and settings

  • MKE resources and settings

Team permission levels

With Teams you can define the repository permissions for a set of users (read, read-write, and admin).

Repository operation

read

read-write

admin

View/browse

x

x

x

Pull

x

x

x

Push

x

x

Start a scan

x

x

Delete tags

x

x

Edit description

x

Set public or private

x

Manage user access

x

Delete repository

x

Note

Team permissions are additive. When a user is a member of multiple teams, they have the highest permission level defined by those teams.

Overall permissions

Permission level

Description

Anonymous or unauthenticated Users

Can search and pull public repositories.

Authenticated Users

Can search and pull public repos, and create and manage their own repositories.

Team Member

Everything a user can do, plus the permissions granted by the team the user is a member of..

Organization Owner

Can manage repositories and teams for the organization.

Admin

Can manage anything across MKE and MSR.