...
There are two points of integration with Synapse: (1) notification when a new repository is created, updated, etc., (2) request to authorize an operation on a repository. When a new Docker repository is created an object will be created in the repository services. This object will be related to an ACL which can be edited by the repository owner or other authorized Synapse users. When an authorization request comes in, the ACL is used to approve or deny the request.
There are three choices for representing repositories in Synapse: (1) as a variation of a file, (2) as a new kind of Entity, (3) as a new non-Entity object. The first two options have serious problems: If a repository is a kind of file then the semantics of a file as a document or stream of bytes breaks down. Clients need extra logic that says they cannot expect to do an 'HTTP GET' (for example) on such a file. Docker repositories cannot be entities because we cannot expose Create and Delete operations. The repository objects in Synapse must mirror those in the Docker registry. This means that objects can only be created and deleted as notifications about such events are received from the Docker registry.
Note: We can allow MULTIPLE Docker registries to delegate authorization to Synapse by ensuring Synapse includes the registry 'host' in the repository object.
...