Details for Container Registry
This topic covers details for writing policies to control access to Oracle Cloud Infrastructure Registry (also known as Container Registry).
Resource-Types
repos
Note that repos
covers all Container Registry resources, namely repositories, images, and image signatures.
Supported Variables
Oracle Cloud Infrastructure Registry supports all the general variables (see General Variables for All Requests), plus the ones listed here.
The repos
resource-type can use the following variables:
Variable | Variable Type | Comments |
---|---|---|
target.repo.name
|
String | Use this variable to control access to specific repositories. For an example policy, see Policies to Control Repository Access. |
When authorizing an API operation to access a Container Registry resource using a tag specified by the target.resource.tag
policy variable, you must apply the tag to a resource appropriate for the API operation:
API | Can you apply a tag to a resource to authorize access? | If yes, which resource |
---|---|---|
ListContainerRepositories |
No | None |
ListContainerImages |
No | None |
ListContainerImageSignatures |
No | None |
GetContainerConfiguration |
No | None |
GetContainerRepository |
Yes | Repository |
GetContainerImage |
Yes | Image |
GetContainerImageSignature |
Yes | Image signature |
CreateContainerRepository |
No | None |
DeleteContainerRepository |
Yes | Repository |
UpdateContainerImage |
Yes | Image |
DeleteContainerImage |
Yes | Image |
RestoreContainerImage |
Yes | Image |
CreateContainerImageSignature |
No | None |
UpdateContainerImageSignature |
Yes | Image signature |
DeleteContainerImageSignature |
Yes | Image signature |
RemoveContainerVersion |
Yes | Image |
UpdateContainerRepository |
Yes | Repository |
ChangeContainerRepositoryCompartment |
Yes | Repository |
UpdateContainerConfiguration |
No | None |
Details for Verb + Resource-Type Combinations
The following tables show the permissions and API operations covered by each verb. The level of access is cumulative as you go from inspect
> read
> use
> manage
. For example, a group that can use a resource can also inspect and read that resource. A plus sign (+) in a table cell indicates incremental access compared to the cell directly above it, whereas "no extra" indicates no incremental access.
For example, the read
verb for the repos
resource-type
includes the same permissions and API operations as the inspect
verb,
plus the REPOSITORY_READ permission and a number of API operations (e.g.,
GetContainerRepository
, etc.). The use
verb covers
still another permission and API operation compared to read
. Lastly,
manage
covers more permissions and operations compared to
use
.
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect |
REPOSITORY_INSPECT |
|
none |
read |
INSPECT + REPOSITORY_READ |
|
none |
use |
no extra |
none |
|
manage |
USE + REPOSITORY_CREATE REPOSITORY_DELETE REPOSITORY_UPDATE REPOSITORY_MANAGE |
|
none |
Permissions Required for Each API Operation
The following table lists the API operations in a logical order, grouped by resource type.
For information about permissions, see Permissions.
API Operation | Permissions Required to Use the Operation |
---|---|
ListContainerRepositories |
REPOSITORY_INSPECT |
CreateContainerRepository |
REPOSITORY_CREATE |
GetContainerRepository |
REPOSITORY_READ |
UpdateContainerRepository |
REPOSITORY_MANAGE |
DeleteContainerRepository |
REPOSITORY_DELETE |
ChangeContainerRepositoryCompartment |
REPOSITORY_MANAGE |
ListContainerImages |
REPOSITORY_INSPECT |
GetContainerImage |
REPOSITORY_READ |
UpdateContainerImage |
REPOSITORY_UPDATE |
DeleteContainerImage |
REPOSITORY_UPDATE |
RestoreContainerImage |
REPOSITORY_UPDATE |
RemoveContainerVersion |
REPOSITORY_UPDATE |
ListContainerImageSignatures |
REPOSITORY_INSPECT |
GetContainerImageSignature |
REPOSITORY_READ |
CreateContainerImageSignature |
REPOSITORY_UPDATE |
UpdateContainerImageSignature |
REPOSITORY_UPDATE |
DeleteContainerImageSignature |
REPOSITORY_UPDATE |
GetContainerConfiguration |
REPOSITORY_INSPECT |
UpdateContainerConfiguration |
REPOSITORY_MANAGE |