Authentication and authorization¶
With MSR you can control which users have access to your image repositories.
Users¶
By default, anonymous users can only pull images from public repositories. They cannot create new repositories or push to existing ones. You can then grant permissions to enforce fine-grained access control to image repositories.
Create a user.
Registered users can create and manage their own repositories. You can also integrate with an LDAP service to manage users from a single place.
Extend the permissions by adding the user to a team.
To extend a user’s permission and manage their permissions over repositories, you add the user to a team. A team defines the permissions users have for a set of repositories.
Note
To monitor users login events, enable the auditAuthLogsEnabled
parameter
in the /settings
API endpoint:
curl -k -u admin:$TOKEN -X POST "https://host:port/api/v0/meta/settings" \
-H "accept: application/json" \
-H "Content-Type: application/json" \
-d "{ \"auditAuthLogsEnabled\": true}"
Organizations and teams¶
When a user creates a repository, only that user can make changes to the repository settings, and push new images to it.
Organizations take permission management one step further by allowing multiple users to own and manage a common set of repositories. This is useful when implementing team workflows. With organizations you can delegate the management of a set of repositories and user permissions to the organization administrators.
An organization owns a set of repositories and defines a set of teams. With teams you can define fine-grain permissions that a team of users has for a set of repositories.