app/registry: allow anonymous pull access and temporary vms/ push access
diff --git a/app/registry/prod.jsonnet b/app/registry/prod.jsonnet
index 65b2413..a7e1f5e 100644
--- a/app/registry/prod.jsonnet
+++ b/app/registry/prod.jsonnet
@@ -144,8 +144,16 @@
token_db: "/data/oauth2_tokens.ldb",
registry_url: "https://registry.k0.hswaw.net",
},
+ users: {
+ [""]: {}, // '' user are anonymous users.
+ },
acl: [
{
+ match: {account: "/(q3k|inf)/", name: "vms/*"},
+ actions: ["*"],
+ comment: "q3k and inf can mange 'vms' docker images",
+ },
+ {
match: {account: "/.+/", name: "${account}/*"},
actions: ["*"],
comment: "Logged in users have full access to images that are in their 'namespace'",
@@ -156,9 +164,9 @@
comment: "Logged in users can query the catalog.",
},
{
- match: {account: "/.+/"},
+ match: {account: ""},
actions: ["pull"],
- comment: "Logged in users can pull all images.",
+ comment: "Anyone can pull all images.",
},
],
}),