Bug Report or request for assistance: I'm trying to implement a private docker registry in my organization and need multi-tenancy within my registry. Group A has access to their containers, but not Group B's for example.
The documentation implies that I can do this via Content Selectors can be used to grant access to the results of a query, kinda like a view. I've had some success, but have run into what looks like bug.
:5000. path =~ ".*spark.*"The preview of the query outputs the expected result.
Now I try docker login. I get a 403 Forbidden.
If I grant my test user the nx-repository-view-docker-*-read role, the test user can docker login to the registry and see ALL containers. (probably intentional)
The Content selector isn't limiting the access though.
HOWEVER, if I remove the nx-repository-view-docker-*-read role after a successful docker login, and leave the content selector role, the content view DOES work as intended.
Not really a workable solution, but very interesting in terms what might be missing/bugged.
Any ideas? Am I simply doing it wrong? I found one post that indicated that the official answer is to create multiple registries on separate ports and permission them that way. Workable, but not ideal.
Short answer:
Try format == "docker" && ( path == "/v2/" || path =~ ".*spark.*" ).
Explanation:
As you noticed the problem is the docker login. This command does not work if path == "/v2/" is not specified in the content selector. This does not grant access to any containers but to the registry itself, so adding it will allow you to login. Other than that your content selector should work as expected. That's it!
Unfortunately this is not included in the documentation so far.