Bug 1404452

Summary: [RFE] provide role based access control (RBAC) to registry
Product: Red Hat Satellite Reporter: Toby Cardone <tcardone>
Component: Container Management - ContentAssignee: Tom McKay <tomckay>
Status: CLOSED WONTFIX QA Contact: Katello QA List <katello-qa-list>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 6.2.5CC: bbuckingham, bkearney, tomckay
Target Milestone: UnspecifiedKeywords: FutureFeature
Target Release: Unused   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-09-04 19:11:57 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Toby Cardone 2016-12-13 21:40:25 UTC 
Description of problem:

If you sync a container image in Satellite, it is published to a URL that can be accessed from any machine with connectivity to Satellite.  Even if the content view to which the machine is subscribed provides access to no Docker content, you can pull any container.  Although Satellite provides the ability to manage images through content views, there's no need to actually do so - you can simply access any container sync'd to Satellite.  

Version-Release number of selected component (if applicable):

Satellite 6.2.5

How reproducible:

Every time

Steps to Reproduce:
1.  Sync a container to Satellite
2.  Use the URL provided by Satellite to do a docker pull on any machine, regardless of whether or not that machine should have access to the content
3.

Actual results:

Container successfully pulls.  This could provide access to software not intended to run on a particular machine, access to data (or whatever else) in the container, etc.


Expected results:

This should function like all other Satellite content.  

If the content has not been promoted to the environment in which the machine is subscribed, no access should be allowed.

Additional info:
Comment 3 Tom McKay 2018-01-18 23:04:02 UTC 
Changing this to an RFE since crane, the service that provides the registry at :5000, has a limited RBAC system not associated with Sat-6 code at all.

https://docs.pulpproject.org/en/2.15/plugins/crane/index.html#user-authentication
Comment 4 Bryan Kearney 2018-09-04 18:59:54 UTC 
Thank you for your interest in Satellite 6. We have evaluated this request, and we do not expect this to be implemented in the product in the foreseeable future. We are therefore closing this out as WONTFIX. If you have any concerns about this, please feel free to contact Rich Jerrido or Bryan Kearney. Thank you.
Comment 5 Bryan Kearney 2018-09-04 19:11:57 UTC 
Thank you for your interest in Satellite 6. We have evaluated this request, and we do not expect this to be implemented in the product in the foreseeable future. We are therefore closing this out as WONTFIX. If you have any concerns about this, please feel free to contact Rich Jerrido or Bryan Kearney. Thank you.