Allow anonymous read-only access to a public project's Conan packages

Release notes

Problem to solve

I have a public project on a self-hosted GitLab instance. I'd like to be able to publish Conan packages and allow anyone to install them, without having to authenticate.

Currently when I do this, Conan requests authentication:

$ conan remote add gitlab https://example.com/api/v4/projects/42/packages/conan
$ conan install somepackage/1.2.3@someproject/stable --remote=gitlab
Please log in to "gitlab" to perform this action. Execute "conan user" command.
Remote 'gitlab' username:

If I query the Packages API directly, it works anonymously:

$ curl https://example.com/api/v4/projects/42/packages
[{"id":1,"name":"somepackage/1.2.3@someproject/stable","conan_package_name":"somepackage","version":"1.2.3","package_type":"conan","_links":{"web_path":"/someproject/someproject/-/packages/1"},"created_at":"2020-12-17T19:50:38.358-05:00","tags":[]}]

But the corresponding Conan API doesn't work anonymously:

$ curl https://example.com/api/v4/projects/42/packages/conan/v1/ping
{"message":"401 Unauthorized"}

Intended users

Parker (Product Manager) — decide to grant anonymous read-only access to Conan packages
Community members (people who don't have accounts on the self-hosted GitLab instance) — ability to use the conan CLI to download and install packages on their local system

User experience goal

Community members should be able to use the conan CLI to download and install packages on their local system, without having to authenticate.

Proposal

If a GitLab Project's Visibility is Public:
- Authentication should (continue to) be required to upload packages
- Anonymous users should be able to download packages using the /api/v4/projects/42/packages/conan/v1/ping endpoint

Further details

Permissions and Security

Documentation

After implementing, on https://docs.gitlab.com/ee/user/packages/conan_repository/#authenticate-to-the-package-registry, mention that anonymous read-only access is an option

Availability & Testing

What does success look like, and how can we measure that?

What is the type of buyer?

Since package support is in GitLab Core, I think it would make sense to include anonymous package downloading in GitLab Core, too.

Is this a cross-stage feature?

Links / references

Edited Dec 18, 2020 by Steve Mokris