Add the ability to set a user access control policy on images

[krystian-er]

Is your feature request related to a problem? Please describe.
Portainer --> Images: Request to add user access restriction - Users should not be able to delete the image. The lack of such a restriction makes it impossible to use the portainer, because everyone can remove the image.

Describe the solution you'd like
Added ability to block access to images.

[deviantony]

We did not want to provide any ownership control over images as it does not really makes sense. We might figure out a better isolation level for images at some point, in the meantime this is not going to be integrated.

Regarding your particular point though, preventing the ability to remove images, this will be part of our RBAC extension (see #1259)

[deviantony]

We've actually reconsidered adding user access controls on the images, we'll use this issue to track this evolution.

[xiftin84]

Hi,

@deviantony by any chance do you have an ETA when this feature is going to deployed?

[deviantony]

No ETA yet.

[gotjoshua]

Do you guys have a plan for how to add access control to containers that are not "born" in portainer?

I ask because I prefer to have all my docker-compose files on the server and use portainer for convenient restarting.

Is this covered by your plans?

[ncresswell]

We already have this as a setting. By default, anything created outside portainer is only seen by portainer admins. However in settings you can change that behavior. Rgds, Neil Cresswell On 22/01/2019, at 4:03 PM, gotjoshua <[email protected]<mailto:[email protected]>> wrote: Do you guys have a plan for how to add access control to containers that are not "born" in portainer? I ask because I prefer to have all my docker-compose files on the server and use portainer for convenient restarting. I'd like to be able to add users who, for example, have the ability to start and restart but not remove containers. Is this covered by your plans? — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_portainer_portainer_issues_2405-23issuecomment-2D456322006&d=DwMFaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=0fx0h4vB56iTLpw2McH1ZD6TqG_QGpbggVOB-PfMJpM&m=YZ8xbXYPvhsS0dh81E7oNn6bEchJx72N8BV2EkdbGFg&s=aaZwD0mJuRf_wLX7BmbMVpwZSuXBQciBNo6csbAzOug&e=>, or mute the thread<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_AWGrlXI2EJRSTfQpT0zDinrMXdTxLTEOks5vFtPugaJpZM4X9mUp&d=DwMFaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=0fx0h4vB56iTLpw2McH1ZD6TqG_QGpbggVOB-PfMJpM&m=YZ8xbXYPvhsS0dh81E7oNn6bEchJx72N8BV2EkdbGFg&s=ZeLgP8vBpMao2tLIDjJEZdoAMyj_sU5EkNQqRoJeVTc&e=>.

[gotjoshua]

Thanks @ncresswell (maybe you want to edit your reply to exclude all the email crud)!

I am also curious about how fine grained the access control will be when this feature gets implemented... eg: I'd like to be able to add users who, for example, have the ability to start and restart but not remove containers.

Also only high clearance users should be able to use the remote console.

[ncresswell]

Oh, fine grained access control will be part of our “to be released” AAC (access, audit, and control) extension. This extension will allow you to create a role, and select which portainer functions that role can use. Users are then added the role. The extension will also keep an audit log of every activity performed per user. Expect this extension in 3 months.

[gotjoshua]

Sounds seriously awesome!
Thanks!