Policies to Control Repository Access

You have fine-grained control over the operations that users are allowed to perform on repositories in Oracle Cloud Infrastructure Registry.

A user's permissions to access repositories comes from the groups to which they belong. The permissions for a group are defined by identity policies. Policies define which actions the members of a group can perform. Users access repositories and perform operations based on the policies set for the groups they are members of. Identity policies to control repository access must be set at the tenancy level. See Details for Registry.

Before you can control access to repositories, you must have already created users and already placed them in appropriate groups (see Managing Users and Managing Groups). You can then create policies and policy statements to control repository access (see Managing Policies).

Note that users in the tenancy's Administrators group can perform any operation on any repository in Oracle Cloud Infrastructure Registry that belongs to the tenancy.

Common Policies

Note

The policies in this section use example group names, as follows:

  • acme-viewers: A group that you want to limit to seeing a list of repositories in the tenancy.
  • acme-pullers: A group that you want to limit to pulling images.
  • acme-pushers: A group that you want to allow to push and pull images.
  • acme-managers: A group that you want to allow to push and pull images, delete repositories, and edit repository metadata (for example, to make a private repository public).

Make sure to replace the example group names with your own group names.

Enable users to view a list of all the repositories belonging to the tenancy

Type of access: Ability to see a list of all repositories in Oracle Cloud Infrastructure Registry belonging to the tenancy. Users will not be able to:

  • view the images or layers in a repository
  • push or pull images from or to a repository

Note that there is currently no way to restrict the repositories shown on the Registry page in the Console.

Where to create the policy: In the tenancy.

Allow group acme-viewers to inspect repos in tenancy
Enable users to pull images from any repository belonging to the tenancy

Type of access: Ability to pull images (layers and manifests) from any repository in Oracle Cloud Infrastructure Registry that belongs to the tenancy.

Where to create the policy: In the tenancy.

Allow group acme-pullers to read repos in tenancy
Enable users to pull images from specific repositories

Type of access: Ability to pull images (layers and manifests) from any repository in Oracle Cloud Infrastructure Registry that belongs to the tenancy and that has a name starting with "acme-web-app".

Where to create the policy: In the tenancy.

Allow group acme-pullers to read repos in tenancy where all { target.repo.name=/acme-web-app*/ }
Enable users to push images to any repositories (and create new repositories if necessary)

Type of access: Ability to push images (layers and manifests) to any repository in Oracle Cloud Infrastructure Registry that belongs to the tenancy. If a repository with the same name as the image doesn't exist yet, the REPOSITORY_CREATE permission ensures users are able to create the repository when they push the image.

Where to create the policy: In the tenancy.

Allow group acme-pushers to use repos in tenancy
Allow group acme-pushers to manage repos in tenancy where ANY {request.permission = 'REPOSITORY_CREATE', request.permission = 'REPOSITORY_UPDATE'}
Enable managers to perform any operation on any repository belonging to the tenancy

Type of access: Ability to perform any operation on any repository in Oracle Cloud Infrastructure Registry that belongs to the tenancy, including:

  • pull an image from any repository
  • push an image to any repository
  • create a new repository (either an empty repository, or when pushing an image for which no repository exists yet)
  • delete a repository
  • change a public repository to a private repository, or a private repository to a public repository

Where to create the policy: In the tenancy.

Allow group acme-managers to manage repos in tenancy