Details for Registry

This topic covers details for writing policies to control access to the Registry.

Resource-Types

repos

Supported Variables

Oracle Cloud Infrastructure Registry supports all the general variables (see General Variables for All Requests), plus the ones listed here.

The repos resource-type can use the following variables:


Variable	Variable Type	Comments
`target.repo.name`	String	Use this variable to control access to specific repositories. For an example policy, see Policies to Control Repository Access.

Details for Verb + Resource-Type Combinations

The following tables show the permissions and API operations covered by each verb. The level of access is cumulative as you go from inspect > read > use > manage. A plus sign (+) in a table cell indicates incremental access compared to the cell directly above it, whereas "no extra" indicates no incremental access.

For example, the read verb for the repos resource-type includes the same permissions and API operations as the inspect verb, plus the REPOSITORY_READ permission and a number of API operations (e.g., ReadDockerRepositoryMetadata, etc.). The use verb covers still another permission and API operation compared to read. Lastly, manage covers more permissions and operations compared to use.

Note the Registry API is not currently available.

repos


Verbs	Permissions	APIs Fully Covered	APIs Partially Covered
inspect	REPOSITORY_INSPECT	`ListDockerRepositories` `ListDockerRepositoryManifests`	none
read	INSPECT + REPOSITORY_READ	INSPECT + `ReadDockerRepositoryMetadata` `ReadDockerRepositoryManifest` `PullDockerLayer`	none
use	no extra	no extra	none
manage	USE + REPOSITORY_CREATE REPOSITORY_DELETE REPOSITORY_UPDATE REPOSITORY_MANAGE	USE + `CreateDockerRepository` `DeleteDockerRepository` `UploadDockerImage` `DeleteDockerImage` `DeleteDockerLayer` `UpdateDockerRepositoryMetadata`	none

Permissions Required for Each API Operation

The following table lists the API operations in a logical order, grouped by resource type.