Add API endpoint for "Allow anyone to pull from Package Registry"
Package Registry Access Control API Enhancement
Problem Statement
Recently, we implemented the "Allow anyone to pull from package registry" option, which enables maintainers/owners to configure package registry access at the project level via UI and administrators to manage it at the instance level. However, current limitations create significant challenges:
- No group-level management capability
- Lack of API support for automation
- Inconsistent management experience compared to container registry controls
- Manual intervention is required for bulk changes
Related issues:
- #410139 - Group-level package registry access control
- #383537 (closed) (closed) - Initial package registry access control implementation
Proposal
We propose implementing a new API attribute, package_registry_access_level
, in the Projects API, aligning with the existing container_registry_access_level
pattern. This enhancement will provide:
Technical Details
-
New API Operations:
GET /api/v4/projects/:id/package_registry
- Returns the current access level configuration for a project's package registry
- Available to users with Reporter access or higher
- Returns instance default if no project-specific setting is set
PUT /api/v4/projects/:id/package_registry
- Updates the access level configuration for a project's package registry
- Requires Maintainer access or higher
- Payload:
{ "package_registry_access_level": "enabled" | "private" | "disabled" }
Note: Group-level endpoints will be tracked in a separate issue.
-
Access Level Options:
-
private
(default) - Only project members can pull packages -
enabled
- Anyone can pull packages -
disabled
- Package registry disabled for this project/group
-
-
Access Level Management:
- Project-level settings managed independently
- Instance-level settings provide default values
- Future consideration: Group-level management (separate issue)
Value Proposition for Platform Engineers
Automation Capabilities
-
Infrastructure as Code Integration
- Enable GitOps workflows for registry access management
- Integrate with configuration management tools
- Automate access control in CI/CD pipelines
-
Bulk Operations
- Programmatically update multiple projects
- Implement consistent access patterns across organizations
- Automate periodic access reviews
-
Custom Tooling Development
- Build internal tools for access management
- Create automated approval workflows
- Implement custom audit and compliance checks
Compliance and Security Benefits
-
Access Control Automation
- Standardize access patterns across projects
- Implement automatic revocation policies
- Enforce security policies programmatically
-
Audit and Monitoring
- Track access changes through API calls
- Generate automated compliance reports
- Monitor usage patterns programmatically
Feature Usage Metrics
Proposed metrics to track:
- API endpoint usage frequency
- Distribution of access level settings
- Number of groups/projects using inherited vs. custom settings
- Automation tool integration statistics
Audit Requirements
This feature requires comprehensive audit events for:
- Access level changes
- Failed permission changes
Each audit event should capture:
- Actor information
- Previous and new settings
- Affected scope (project/group)
- Timestamp
- Source of change (API/UI)
This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.