Bug Report or request for assistance: I'm trying to implement a private docker registry in my organization and need multi-tenancy within my registry. Group A has access to their containers, but not Group B's for example.
The documentation implies that I can do this via Content Selectors can be used to grant access to the results of a query, kinda like a view. I've had some success, but have run into what looks like bug.
- I have a registry created on
:5000. - Anonymous access is turned off.
- I create a test user.
- I create a content selector that should restrict access to containers with "spark" in the name.
path =~ ".*spark.*"
The preview of the query outputs the expected result.
Now I try docker login. I get a 403 Forbidden.
If I grant my test user the nx-repository-view-docker-*-read role, the test user can docker login to the registry and see ALL containers. (probably intentional)
The Content selector isn't limiting the access though.
HOWEVER, if I remove the nx-repository-view-docker-*-read role after a successful docker login, and leave the content selector role, the content view DOES work as intended.
Not really a workable solution, but very interesting in terms what might be missing/bugged.
Any ideas? Am I simply doing it wrong? I found one post that indicated that the official answer is to create multiple registries on separate ports and permission them that way. Workable, but not ideal.
