Option to disable "Allow anyone to pull from Package Registry" for whole groups
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
Release notes
Add ability to disable the "Allow anyone to pull from Package Registry" feature on a group and contained subgroups and projects.
Problem to solve
We would like to improve the security of our intellectual property with regards to the "Allow anyone to pull from Package Registry" feature. The feature was introduced with: #329253 (closed) and released in 15.7
We totally see the use-case for that and appreciate that other GitLab customers find this feature beneficial and make good use of it.
However, we see the current situation critical because package registries can be made public to the internet in contradiction to project visibility. We have a private root group gitlab.com/our-root-group with SSO enforcement. Our expectation is that this guarantees some kind of control over who is able to access our resources. In general, visibility settings are usually restricted to the "Owner" role and lower levels can not have a more permissive setting that higher up levels. (When visualizing the root at the top.) Only a few people in the company are assigned "Owner" roles as we consider them to be our "Admins".
The "Allow anyone to pull from Package Registry" is the only feature we know of which breaks this assumption. Other registries, like the container registry, cannot be made public by a project Maintainer.
We as an organization want to gain back the control of who can make our resources public to the internet.
This is related to another feature request: #410146
Proposal
We suggest to add the option to disable the "Allow anyone to pull from Package Registry" feature on a group.
As with other similar settings, this should have the option to propagate it so subgroups and projects and enforce it there (no option to override the setting on subgroups/projects).
This will allow organizations to still use the feature but other organizations like us to restrict this and prevent resources from being made public to the internet unintentionally.
Intended users
- Cameron (Compliance Manager)
- Sidney (Systems Administrator)
- Sam (Security Analyst)
- TODO - this is just a suggestion by me and needs to be refined
- To whom it may concern: The links in the issue template to the persona descriptions are broken