Pull through cache permissions do not allow pulling images

[PotentialIngenuity]

Version
pulp-core: 3.53.0
pulp-container: 2.20.0

Describe the bug
I created a new user so that I could login and pull images from a pull through cache. This is needed because of this bug.

Here is the distribution

http --verify false GET https://localhost/pulp/api/v3/distributions/container/pull-through/
{
    "count": 1,
    "next": null,
    "previous": null,
    "results": [
        {
            "base_path": "docker-cache",
            "content_guard": "/pulp/api/v3/contentguards/core/content_redirect/018f7de4-6427-788e-bbe1-e706ea9bafda/",
            "description": null,
            "distributions": [
                "/pulp/api/v3/distributions/container/container/018f8242-3015-7a52-9c53-8c232c366993/"
            ],
            "hidden": false,
            "name": "docker-cache",
            "namespace": "/pulp/api/v3/pulp_container/namespaces/018f8241-b946-70d0-a523-76ce20008d76/",
            "private": false,
            "pulp_created": "2024-05-16T16:34:57.695232Z",
            "pulp_href": "/pulp/api/v3/distributions/container/pull-through/018f8241-be1b-727a-828e-64abd150ac70/",
            "pulp_labels": {},
            "pulp_last_updated": "2024-05-16T16:34:57.695273Z",
            "remote": "/pulp/api/v3/remotes/container/pull-through/018f7dd7-d833-7757-9056-a7d216dd3392/",
            "repository": null
        }
    ]
}

The distribution shows the role and user have been applied.

http --verify false GET https://localhost/pulp/api/v3/distributions/container/pull-through/018f8241-be1b-727a-828e-64abd150ac70/list_roles/
{
    "roles": [
        {
            "groups": [],
            "role": "container.containerpullthroughdistribution_owner",
            "users": [
                "admin"
            ]
        },
        {
            "groups": [],
            "role": "container.containerpullthroughdistribution_consumer",
            "users": [
                "container_consumer"
            ]
        }
    ]
}

However when I login and pull it will still fail

docker login repo.company.com
Username: container_consumer
Password:
Login Succeeded

docker image pull repo.company.com/docker-cache/library/busybox
Using default tag: latest
Error response from daemon: pull access denied for repo.company.com/docker-cache/library/busybox, repository does not exist or may require 'docker login': denied: requested access to the resource is denied

Expected behavior
The role should allow the user to pull the images

Additional context
Previous Discussion: https://matrix.to/#/!HWvLQmBGVPfJfTQBAu:matrix.org/$xdzKq3fygVI6w0ginypdtaodaRJhi7Yx6aMTgSowSP0?via=matrix.org&via=ctrl-c.liu.se&via=x9c4.spdns.org

[lubosmj]

When pulling images through a pull-through cache distribution, you also need to have permissions to create distributions. Being only a consumer does not help in this matter. The user needs to have permissions of the creator too. Do you think you can create a role that has also permissions to create a distribution ? I have in mind the following permissions:

container.add_containerdistribution
container.view_containerdistribution
container.pull_containerdistribution

I suppose we need to update our documentation...

ref: https://staging-docs.pulpproject.org/pulp_container/docs/admin/learn/rbac/#creator-role

[lubosmj]

Additionally, the user needs permission to access the namespace, like:

container.namespace_view_containerdistribution

[PotentialIngenuity]

Thank you! I was able to pull a container after creating a role with those permissions.

pulp user role-assignment list --username container_consumer
[
  {
    "pulp_href": "/pulp/api/v3/users/3/roles/018f8762-667a-7f41-a066-2f3b8cd3e3e1/",
    "pulp_created": "2024-05-17T16:28:44.028381Z",
    "pulp_last_updated": "2024-05-17T16:28:44.028420Z",
    "role": "container_registry_consumer",
    "content_object": null,
    "description": "Pull/View pull-through and standard container registries",
    "permissions": [
      "container.add_containerdistribution",
      "container.pull_containerdistribution",
      "container.view_containerdistribution",
      "container.namespace_view_containerdistribution",
      "container.view_containerpullthroughdistribution"
    ],
    "domain": null
  }
]

docker login repo.company.com
Username: container_consumer
Password:
Login Succeeded

docker image pull repo.company.com/docker-cache/library/postgres
Using default tag: latest
latest: Pulling from docker-cache/library/postgres
09f376ebb190: Already exists
119215dfb3e3: Pull complete
e02bbc8c8252: Pull complete
061f31803c55: Pull complete
accd4903f49a: Pull complete
2016ff8e6e3a: Pull complete
088e651df7e9: Pull complete
ed155773e5e0: Pull complete
ffebb35d2904: Pull complete
293f0bec643a: Pull complete
1655a257a5b5: Pull complete
4ddba458499d: Pull complete
90e48ae03559: Pull complete
822c1a513e6a: Pull complete
Digest: sha256:1bf73ccae25238fa555100080042f0b2f9be08eb757e200fe6afc1fc413a1b3c
Status: Downloaded newer image for repo.company.com/docker-cache/library/postgres:latest
repo.company.com/docker-cache/library/postgres:latest

[lubosmj]

To be honest, you only need the container.namespace_view_containerdistribution permission. See below the complete example:

REMOTE_HREF=$(http ${BASE_ADDR}/pulp/api/v3/remotes/container/pull-through/ name=docker-cache url=https://registry-1.docker.io | jq -r ".pulp_href")
http ${BASE_ADDR}/pulp/api/v3/distributions/container/pull-through/ remote=${REMOTE_HREF} name=docker-cache base_path=docker-cache

pulp user create --username test --password test12345 --email [email protected]
podman logout localhost:5001
podman login localhost:5001 --tls-verify=false -u test -p test12345
podman pull localhost:5001/docker-cache/pulp/test-fixture-1:manifest_a --tls-verify=false

ERROR:

Trying to pull localhost:5001/docker-cache/pulp/test-fixture-1:manifest_a...
Error: initializing source docker://localhost:5001/docker-cache/pulp/test-fixture-1:manifest_a: reading manifest manifest_a in localhost:5001/docker-cache/pulp/test-fixture-1: requested access to the resource is denied

---

Adding permissions:

pulp role create --name "container.containerrepository_cache_puller" --permission "container.namespace_view_containerdistribution"
pulp user role-assignment add --username "test" --role "container.containerrepository_cache_puller" --object ""
podman pull localhost:5001/docker-cache/pulp/test-fixture-1:manifest_a --tls-verify=false

Success:

Trying to pull localhost:5001/docker-cache/pulp/test-fixture-1:manifest_a...
Getting image source signatures
Copying blob d88e4fcba3c8 skipped: already exists  
Copying blob 188c0c94c7c5 skipped: already exists  
Copying config 2ea2d39846 done   | 
Writing manifest to image destination
2ea2d398465fee77f3f80929d6ee391634e548a98eaab5cfb64dba5a25da13b8

[lubosmj]

I see there is a lack of clarity on how the permissions should be configured and how should the pull-through caching work out of the box. I consider this to be a documentation issue. Thanks for opening it!

As per #1623, we need to discuss the impact of allowing all users to benefit from pull-through caching distributions.

[lubosmj]

We will need to consider adding write permissions to the repository as well, not just view permissions.