...
There are two points of integration with Synapse: (1) notification when a new repository is created, updated, etc., (2) request to authorize an operation on a repository. When a new Docker repository is created an object will be created in the repository services. This object will be related to an ACL which can be edited by the repository owner or other authorized Synapse users. When an authorization request comes in, the ACL is used to approve or deny the request.
There are three choices for representing repositories in Synapse: (1) as a variation of a file, (2) as a new kind of Entity, (3) as a new non-Entity object. The first two options have serious problems: If a repository is a kind of file then the semantics of a file as a document or stream of bytes breaks down. Clients need extra logic that says they cannot expect to do an 'HTTP GET' (for example) on such a file. Docker repositories cannot be entities because we cannot expose Create and Delete operations. The repository objects in Synapse must mirror those in the Docker registry. This means that objects can only be created and deleted as notifications about such events are received from the Docker registry.
Note: We can allow MULTIPLE Docker registries to delegate authorization to Synapse by ensuring Synapse includes the registry 'host' in the repository object.
...
Will now appear in Synapse under (Project or Folder) syn1234567. See https://app.moqups.com/bruce.hoff@sagebase.org/HY2x6MNWXo/editview/page/a406bb9f1
Cannot be moved or renamed.
...
| Description | URI | Method | Request Parameters | Request Body | Response Body | ||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
Authorization Request | /bearerToken | GET | service, scope | -- | BearerToken | ||||||
| Add a commit to an external repository. (Also changes modifiedBy, modifiedOn for the entity.) | /entity/{id}/dockerCommit | POST | -- | DockerCommit | -- | ||||||
| Get the commits for a repository. | /entity/{id}/dockerCommit | GET | -- | -- | DockerCommitList | ||||||
| Get the DockerRepository for a commit. | /entity/dockerDigest/{digest} | GET | -- | -- | DockerRepository | Get Docker password for a Docker registry. (System will generate automatically.) | /dockerPassword | GET | registryHost | -- | Password |
| Invalidate password for a Docker registry. | /dockerPassword | DELETE | registryHost | -- | -- |
...
Details
Authorization Request
...
If the repository is not represented in Synapse then deny the request, else answer the authorization question using the ACL associated with the project which is the prefix of requested repository. (Note: We can leverage existing Governance mechanisms by requiring 'download' access level in order to 'pull' a repository.)
...
- OK to have a Docker-Synapse password different from the user's Synapse password (or API key)? Answer: YES
- Is it OK for Docker Repo's to have Folders as parents or just Projects?
...
- Answer: JUST PROJECTS