Hello,
I am trying to have users access a group’s Package Registry, where different users have different permissions:
Current situation
My group contains multiple projects, each with its own PyPI packages in the Package Registry:
|- Root
|- Project A
|- Project B
|- Project C
User A
has Developer access to group Root
(and therefore all projects), but User B only has access to Project A
and Project B
.
When using the web UI, in the group’s Package Registry, User A
sees all packages and User B
sees only packages that are in Project A
and Project B
: this is the behavior I am looking for.
What I want to do
Users install packages with pip. I want to use the group-level registry to have only one URL in the pip config file (new projects may be added to the group and I don’t want to have to edit the config file each time).
What I would like is therefore to give each user the API endpoint for the group-level registry ({GITLAB_URL}/api/v4/groups/{GROUP_ID}/-/packages/pypi/simple
) and have them use it with their personal access token.
Each user could then install all packages they should be able to access, with a single, fixed endpoint.
What I observe
User A
can install all packages from the group-level endpoint.
However, User B
cannot install anything: the end-point replies with 403: Forbidden
. This is unexpected since, in the web UI, User B
has access to the group’s package registry (see above).
Am I doing something wrong? Or is this feature not supported by GitLab?