Details for Registry
This topic covers details for writing policies to control access to the Registry.
Resource-Types
repos
Supported Variables
Oracle Cloud Infrastructure Registry supports all the general variables (see General Variables for All Requests), plus the ones listed here.
The repos
resource-type can use the following variables:
Variable | Variable Type | Comments |
---|---|---|
target.repo.name
|
String | Use this variable to control access to specific repositories. For an example policy, see Policies to Control Repository Access. |
Details for Verb + Resource-Type Combinations
The following tables show the permissions and API operations covered by each verb. The level of access is cumulative as you go from inspect
> read
> use
> manage
. A plus sign (+) in a table cell indicates incremental access compared to the cell directly above it, whereas "no extra" indicates no incremental access.
For example, the read
verb for the repos
resource-type includes the same permissions and API operations as the inspect
verb, plus the REPOSITORY_READ permission and a number of API operations (e.g., ReadDockerRepositoryMetadata
, etc.). The use
verb covers still another permission and API operation compared to read
. Lastly, manage
covers more permissions and operations compared to use
.
Note the Registry API is not currently available.
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect | REPOSITORY_INSPECT |
|
none |
read | INSPECT + REPOSITORY_READ |
INSPECT +
|
none |
use | no extra |
no extra
|
none |
manage | USE + REPOSITORY_CREATE REPOSITORY_DELETE REPOSITORY_UPDATE REPOSITORY_MANAGE |
USE +
|
none |
Permissions Required for Each API Operation
The following table lists the API operations in a logical order, grouped by resource type.
Note the Registry API is not currently available.
For information about permissions, see Permissions.
API Operation | Permissions Required to Use the Operation |
---|---|
ListDockerRepositories
|
REPOSITORY_INSPECT |
ListDockerRepositoryManifests
|
REPOSITORY_INSPECT |
ReadDockerRepositoryMetadata
|
REPOSITORY_READ |
ReadDockerRepositoryManifest
|
REPOSITORY_READ |
CreateDockerRepository
|
REPOSITORY_CREATE |
DeleteDockerRepository
|
REPOSITORY_DELETE |
DeleteDockerRepositoryContents
|
REPOSITORY_UPDATE |
UpdateDockerRepositoryMetadata
|
REPOSITORY_MANAGE |
UploadDockerImage
|
REPOSITORY_UPDATE + REPOSITORY_CREATE |
DeleteDockerImage
|
REPOSITORY_UPDATE |
DeleteDockerLayer
|
REPOSITORY_UPDATE |
PullDockerLayer
|
REPOSITORY_READ |
UploadDockerLayer
|
REPOSITORY_UPDATE + REPOSITORY_CREATE |