Bosca / Artifacts

Access control

Open to the world, or exactly one job

A public namespace serves anonymous pulls like any open registry. A private one checks the same security groups as the rest of Bosca. And for machines, a token can be narrowed until it can do exactly one thing.

Namespaces

Public or private, per namespace

The namespace is the unit of visibility and the unit of access — everything inside one answers to the same rules.

  • Public means anonymous pull access; private means every read checks permissions.
  • Names shape how clients see it: library for images, com.acme for Maven groups, @scope for npm.
  • Visibility is a switch, not a migration — flip a namespace public when it's ready to be.
  • Deleting a namespace removes its repositories, versions, and blob references after confirmation.
namespaces
libraryPublicdocker 4 · helm 2
bosca-mavenPrivatemaven 12
modelPrivateml 3

Group permissions

The groups you already have

No registry user directory, no second set of accounts — grants pair a Bosca security group with an action on a namespace.

  • Pulls check view, pushes check edit, and administrative or destructive operations check manage.
  • Admin and service-account groups carry implicit access; everyone else needs an explicit grant.
  • Signed-in people and platform services use their existing identity — the registry recognizes both.
  • Grants are managed per namespace in Studio, one (group, action) pair per entry.
library · permissions
engineeringEDIT
ci-agentsVIEW
release-managersMANAGE

Scoped tokens

Tokens that name exactly what they may do

A registry token carries artifacts scopes — format, namespace and repository, version or tag pattern, and action — so a leaked CI credential is a small problem, not a master key.

  • Scopes follow artifacts:type:namespace/repository:version:action, with wildcards and globs at every level — every repo in a namespace, or only versions matching v3.*.
  • Actions are pull, push, and admin — and push implies pull, so a publisher can read what it wrote.
  • Broad scopes exist when you want them: artifacts:pull, artifacts:push, artifacts:admin.
  • Hand one to docker login or npm login as the credential — the registry challenges and accepts it like any registry auth.
token scopes
# training may publish models
artifacts:ml:model/*:*:push

# agents may pull any library image
artifacts:docker:library/*:*:pull

# only 3.x of one package
artifacts:npm:@acme/ui:v3.*:pull

Keep exploring

More on Artifacts