docs: update example documentation to use the current authz structure (…

…project-zot#2039) Signed-off-by: Andrei Aaron <aaaron@luxoft.com>
adodon2go · Nov 13, 2023 · b2a9239 · b2a9239
1 parent 38f10af
commit b2a9239
Showing 1 changed file with 19 additions and 5 deletions.
diff --git a/examples/README.md b/examples/README.md
@@ -551,6 +551,7 @@ Should authentication fail, to prevent automated attacks, a delayed response can
 
 Allowing actions on one or more repository paths can be tied to user
 identities. Two additional per-repository policies can be specified for identities not in the whitelist:
+
 - anonymousPolicy - applied for unathenticated users.
 - defaultPolicy - applied for authenticated users.
 
@@ -570,17 +571,28 @@ because it will be longer. So that's why we have the option to specify an adminP
 Basically '**' means repositories not matched by any other per-repository policy.
 
 Method-based action list:
+
 - "read" - list/pull images
 - "create" - push images (needs "read")
 - "update" - overwrite tags (needs "read" and "create")
 - "delete" - delete images (needs "read")
 
 Behaviour-based action list
+
 - "detectManifestCollision" - delete manifest by digest will throw an error if multiple manifests have the same digest (needs "read" and "delete")
 
 
-```
+```json
 "accessControl": {
+  "groups": {                                                  # reusable groups of users
+    "group1": {
+      "users": ["jack", "john", "jane", "ana"]
+    },
+    "group2": {
+      "users": ["alice", "mike", "jim"]
+    }
+  },
+  "repositories": {                                            # per-repository policies
     "**": {                                                    # matches all repos (which are not matched by any other per-repository policy)
       "policies": [                                            # user based policies
         {
@@ -611,6 +623,7 @@ Behaviour-based action list
         "policies": [
           {
               "users": ["bob"],
+              "groups": ["group1"],
               "actions": ["read", "create"]
           },
           {
@@ -619,11 +632,12 @@ Behaviour-based action list
           }
         ],
         "defaultPolicy": ["read"]
-    },
-    "adminPolicy": {                                            # global admin policy (overrides per-repo policy)
-        "users": ["admin"],
-        "actions": ["read", "create", "update", "delete"]
     }
+  },
+  "adminPolicy": {                                             # global admin policy (overrides per-repo policy)
+      "users": ["admin"],
+      "actions": ["read", "create", "update", "delete"]
+  }
 }
 ```