Code Monkey home page Code Monkey logo

Comments (4)

gagbo avatar gagbo commented on July 21, 2024 1

To be more precise: the openid feature doesn't prevent from downloading crates, nothing can prevent it as far as I know. It only allows to a specific list of users to publish packages on the registry. The difference might matter for your use case.

A cargo registry has basically 2 locations where you might control read access:

  • The URL of the backing repository that you put in your .cargo/config.toml. Basically what we do at my company is that we set the http url to the ktra-managed repo, and let git manage authentication (with the use git with cli flag or something) to that repo. That means you can control access to the registry with your org's git control.
  • The URL listed in the config file within the repo you pointed in your cargo config. This is trickier to use, we used to use this URL (pointing to .crate files that are build artifacts behind GitLab API), but to support this flow, we had to patch Cargo to add support for adding arbitrary HTTP headers to the requests made to the dl endpoint. This was a chore to maintain, and not using this patched Cargo means that we need to make the crates fully public if you happen to know the URL, which was not acceptable for us.

The openid thing only controls push/ownership access, which is currently useful for us to have our own technical CI user to push crates, and to make it easier for anyone in the company to publish and use private package when hacking on some PoCs

from ktra.

jbeaurivage avatar jbeaurivage commented on July 21, 2024

@Stargateur, check out #30. It might be close to what you're looking for.

from ktra.

Stargateur avatar Stargateur commented on July 21, 2024

Thx for the detailed inside, I see the link I guess limit the user creation / limit on who can upload crates would be nice too, thus it would be funny to see who would use a "public" registry with a private git repository index ^^. But that indeed not what I need for now, you confirm that until the implementation of the RFC is done and release there no simple way to do what I need.

Can't wait.

from ktra.

fMeow avatar fMeow commented on July 21, 2024

I have create a PR #50 to require authorization for public APIs. I will start testing after the RFC #3139 implementation merge into cargo.

from ktra.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.