GHCR images not visible to organization owner

lizrice · September 4, 2020, 9:39pm

I would expect that as an organization owner, I’d be able to see all container images under the organization, and I’d be able to change their visibility settings. That doesn’t seem to be the case and I wonder if this is a bug. Here’s what happened:

User A pushes a container image (e.g. docker push ghcr.io/aquasecurity/trivy:latest)
User B is an organization owner, but B can’t see this container image
- it doesn’t appear in the list of packages at https://github.com/orgs/aquasecurity/packages
- if user B is logged in and tries to pull the image they get Error response from daemon: pull access denied for ghcr.io/aquasecurity/trivy, repository does not exist or may require 'docker login': denied: permission_denied: read_package
If user A changes the visibility of the image to public, then it’s visible to user B in the UI, and can be pulled, but under the package settings for the image, user B sees the error message “You do not have permissions to administrate this package.”

Related, is there any relationship between permissions on a repo, and container image permissions with a matching name? For example, if user C is an admin on the aquasecurity/trivy repo, would you expect them to have visibility and management permissions on the ghcr.io/aquasecurity/trivy image? I think this would be helpful.

clarkbw · September 4, 2020, 9:39pm

Hello! We’re working on a complete fix for this but in the meantime you’re right that org owners can’t see private containers. There will be some options here but certain scenarios require private containers to be hidden even from owners. Again we’ll be addressing the default case you’re experiencing here.

If you want to keep the containers private but grant access you can add User B (or a Team that contains User B) in the container settings with read/write/admin access.

Currently there isn’t a direct relationship between a repo and a container for access control. The Docker service docker.pkg.github.com worked this way and we’re going to bring the good parts of that back while leaving the fine grained options.

You can use Teams to create a more manageable relationship where Team Admin has admin access to the repo and can also be granted admin access to the Container.

We’ll also have some refinements to this coming up as we workout the GITHUB_TOKEN support in Actions.

Cian911 · October 14, 2020, 11:16am

Hi @ clarkbw is there any update on this?

gautamkrishnar · October 31, 2020, 2:00pm

No update on this yet?. I faced the same problem today.

clarkbw · November 4, 2020, 11:11pm

We have a fix in the works that allows for org admins to be able to see and admin all containers within their org. Coming soon.

clarkbw · December 16, 2020, 12:28am

This was released a month ago https://github.blog/changelog/2020-11-16-packages-organization-admins-access-to-containers/