Overview
About 790 wordsAbout 3 min
CNB provides hosting capabilities for common artifacts, where you can publish and share your artifacts.
Authentication
All resources of the Cloud Native Build platform (including Repositories, Artifact, OPENAPI, etc.) require access tokens for operations.
The Cloud Native Build platform (CNB) uses access tokens for authentication (AuthN) for various artifact repositories (including Docker, Helm, NPM, Maven, etc.).
When an access token is missing, the system treats it as anonymous access, and operation permissions will be restricted during anonymous access.
When authenticating for artifact login, fill in the username as cnb and the authentication password as your access token. Take the Docker login command as an example:
docker login docker.cnb.cool -u cnb -p {token-value}When executing the login command, ensure the access token is valid (not expired, correct format); otherwise, the login operation will be rejected. A valid access token is bound to the user identity, achieving user authentication.
Permission Control
On the Cloud Native Build platform (CNB), Docker/Helm artifacts can be pushed to Repositories for hosting, while Maven/NPM and other types of artifacts require creating Artifact repositories for hosting.
The visibility of Docker/Helm artifacts is consistent with the visibility of the hosted Repositories, and the user's access permissions to the artifacts are determined by their role in the Repositories.
The visibility of Maven/NPM and other types of artifacts depends on the visibility of the Registry, and the user's access permissions to the artifacts are determined by their role in the Registry.
The following table lists the correspondence between artifact behaviors and permissions:
| Resource | Behavior | Required Permission |
|---|---|---|
| Public Registry Artifact | Pull | Anyone can pull without login authentication |
| Public Registry Artifact | Push | Developer and above |
| Public Registry Artifact | Delete | administrator and above |
| Private Registry Artifact | Pull | Visitor and above, requires login authentication |
| Private Registry Artifact | Push | Developer and above |
| Private Registry Artifact | Delete | administrator and above |
Based on the user role, the permissions of the access token need to be specified. Ultimately, whether the operation on the artifact is authorized is determined by both the user role and the access token permissions.
The detailed authentication strategy for the Registry is as follows:
Login operation: If the personal token is valid, login is allowed; otherwise, it is rejected.
Anonymous operation: Only allows pulling artifacts from public Artifact repositories; all other operations are rejected.
Query, pull, and push operations: Require that the user role has the corresponding permission and the access token's
registry-packageauthorization scope includes the corresponding operation; otherwise, reject. The delete operation is similar.On the basis that strategy 3 allows the operation, if the access token specifies a scope of use (such as a specified repository, specified Registry, or only public repositories/artifact repositories) and this scope matches the accessed resource, the actual authorization scope is returned; otherwise, the visibility of the operated resource needs to be checked. If the visibility of the accessed resource is public, the pull operation will still be allowed, but other operations will be rejected. However, if the accessed resource is private, all operations will be rejected.
If any of the user, token, or accessed resource is in an abnormal state (e.g., frozen), all operations will be rejected. Even pulling artifacts from a public Registry will be rejected if an incorrect access token is provided (a token that expires after login is also considered an abnormal token).
The above strategy is shown graphically below (taking the pull operation as an example for artifact behavior, where token refers to the CNB access token and scope refers to the authorization scope of the access token):
Artifact Types
CNB currently supports the following artifacts:
| Artifact Type | Domain Name |
|---|---|
| Docker | docker.cnb.cool |
| Helm | helm.cnb.cool |
Capacity Statistics
We will charge based on the storage space occupied by artifacts hosted on CNB. You can view the capacity occupied by each artifact in Repositories - Usage Statistics.
PS: For Docker artifacts, duplicate base images are deduplicated when calculating capacity.