Authentication and authorization

With MSR you can control which users have access to your image repositories.

Users

By default, anonymous users can only pull images from public repositories. They cannot create new repositories or push to existing ones. You can then grant permissions to enforce fine-grained access control to image repositories.

  1. Create a user.

    Registered users can create and manage their own repositories. You can also integrate with an LDAP service to manage users from a single place.

  2. Extend the permissions by adding the user to a team.

    To extend a user’s permission and manage their permissions over repositories, you add the user to a team. A team defines the permissions users have for a set of repositories.

Note

To monitor users login events, enable the auditAuthLogsEnabled parameter in the /settings API endpoint:

curl -k -u admin:$TOKEN -X POST "https://host:port/api/v0/meta/settings" \
-H "accept: application/json" \
-H "Content-Type: application/json" \
-d "{ \"auditAuthLogsEnabled\": true}"

Organizations and teams

When a user creates a repository, only that user can make changes to the repository settings, and push new images to it.

Organizations take permission management one step further by allowing multiple users to own and manage a common set of repositories. This is useful when implementing team workflows. With organizations you can delegate the management of a set of repositories and user permissions to the organization administrators.

An organization owns a set of repositories and defines a set of teams. With teams you can define fine-grain permissions that a team of users has for a set of repositories.