0
Fork 0
mirror of https://github.com/project-zot/zot.git synced 2024-12-16 21:56:37 -05:00

docs: update example documentation to use the current authz structure (#2039)

Signed-off-by: Andrei Aaron <aaaron@luxoft.com>
This commit is contained in:
Andrei Aaron 2023-11-13 19:59:02 +02:00 committed by GitHub
parent 38f10af8cf
commit b2a9239c03
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23

View file

@ -551,6 +551,7 @@ Should authentication fail, to prevent automated attacks, a delayed response can
Allowing actions on one or more repository paths can be tied to user
identities. Two additional per-repository policies can be specified for identities not in the whitelist:
- anonymousPolicy - applied for unathenticated users.
- defaultPolicy - applied for authenticated users.
@ -570,17 +571,28 @@ because it will be longer. So that's why we have the option to specify an adminP
Basically '**' means repositories not matched by any other per-repository policy.
Method-based action list:
- "read" - list/pull images
- "create" - push images (needs "read")
- "update" - overwrite tags (needs "read" and "create")
- "delete" - delete images (needs "read")
Behaviour-based action list
- "detectManifestCollision" - delete manifest by digest will throw an error if multiple manifests have the same digest (needs "read" and "delete")
```
```json
"accessControl": {
"groups": { # reusable groups of users
"group1": {
"users": ["jack", "john", "jane", "ana"]
},
"group2": {
"users": ["alice", "mike", "jim"]
}
},
"repositories": { # per-repository policies
"**": { # matches all repos (which are not matched by any other per-repository policy)
"policies": [ # user based policies
{
@ -611,6 +623,7 @@ Behaviour-based action list
"policies": [
{
"users": ["bob"],
"groups": ["group1"],
"actions": ["read", "create"]
},
{
@ -619,6 +632,7 @@ Behaviour-based action list
}
],
"defaultPolicy": ["read"]
}
},
"adminPolicy": { # global admin policy (overrides per-repo policy)
"users": ["admin"],