Update the permissions for the Container Registry `catalog` endpoint
Context
GitLab Self-Managed customers would like to quickly view a list of all container image repositories in their instance. GitLab and Docker are made available through the catalog endpoint.
The catalog for a given registry can be retrieved with the following request:
GET /v2/_catalog
Problem to solve
The problem is that Admin permissions are required for the project. This blocks many organizations from using the endpoint since they are hesitant to give out Project Admin privileges lightly. A Developer can also grab this information using the Container Registry API but this requires giving API access to the project, which has the same risks.
Proposal
Update the permissions required to execute the v2/_catalog
endpoint to be anyone with Developer+ permissions. Another option would be to use the Auditor role.
GitLab.com
A quick note to mention that the catalog endpoint does not work on GitLab.com by design.
Customer quote
On a self-managed instance here -- only works if the user is an admin which when we may be having 3rd party CI/CD platforms access our system on behalf of other customers we can't be granting their accounts access to that level for stuff -- just because we're self-managed doesn't mean we can dole out admin credentials like that.
Can't fall back on the registry API when other container platforms like Octopus Deploy play well with every other registry out there (we ended up having to forklift our stuff to Digital Ocean registry for the time being) and these platforms would have to write bespoke implementations for GitLab only -- so we'd be waiting probably indefinitely for that.