Multitenancy Support in Artifact Hub for Organization-Specific Visibility of Artifacts

[fkaksa]

Description:
Artifact Hub currently allows users to add their own repositories/artifacts. Users can also be part of organizations within the Artifact Hub. However, all artifacts are publicly visible by default once added, regardless of the user's organization. This feature request aims to introduce multitenancy support to allow organizations to control the visibility of their artifacts within Artifact Hub.

Feature Request:
Add a multitenancy feature to Artifact Hub, where organizations can manage the visibility of their artifacts based on organizational membership. This will allow organizations to control access to their artifacts, making them visible only to their members or publicly available to all users.

Key Features:

1. Organization-Level Visibility Settings:

   • Introduce a visibility setting at the organizational level where organizations can decide whether their artifacts are visible to only their own members or publicly available to everyone.
   • Example:
     • Org1 can decide that its artifacts are only visible to users who are members of Org1.
     • Org2 can choose to make its artifacts visible to all users, including those outside of the organization.

2. User-Based Access Control:

   • Ensure that users can only see and access artifacts based on their membership in organizations.
   • Example:
     • User1, who is a member of Org1, can only see artifacts from Org1 and publicly available artifacts.
     • User2, who is a member of Org2, can see artifacts from Org2 and publicly available artifacts.
     • If Org1 makes an artifact private, User2 cannot access it.

3. Default Settings for New Artifacts:

   • Allow organizations to set a default visibility for newly added artifacts (e.g., private to the organization by default or public).

4. Granular Access Control:

   • Optionally, introduce finer-grained access control where individual artifacts within an organization can have different visibility settings (e.g., some artifacts are private, while others are public).

Use Case Scenarios:

• Org1 wants to keep its proprietary artifacts private and only accessible by its team members, ensuring that no one outside the organization can view or use them.
• Org2 is working on open-source projects and wants to make all of its artifacts visible to everyone, regardless of their organizational membership.

Benefits:

• Enhanced security and privacy for organizations that need to keep their artifacts confidential.
• Flexibility for organizations to choose how their artifacts are shared within Artifact Hub.
• Improved user experience by ensuring users only see relevant artifacts based on their organizational membership.

---

This feature would add significant value for organizations using Artifact Hub, allowing them to better manage and protect their artifacts while still benefiting from the collaborative nature of the platform.

Thank you for considering this request!

[tegioz]

Hi @fkaksa 👋

Thank you for your proposal!

One of the Artifact Hub's goals is to foster collaboration and sharing, by providing a place where anyone can publish and discover all kinds of Cloud Native artifacts (ideally open source). IMHO providing a mechanism that allows publishers to list private content that would only be visible by a small number of users doesn't align well with this goal. We are mostly interested in features that would benefit most users of the https://artifacthub.io/ deployment. But any form of allowing/encouraging publishing private content isn't in our roadmap TBH.

An alternative way of achieving this for organizations that want to list private content would be to run their own Artifact Hub instance (some organizations are already doing that). I understand this requires some extra effort, but it also allows for more control regarding security (i.e. the site could be fully private, only accessible from the org's network), better users management (i.e. using an external identity provider), etc.

Hope this makes sense 🙂

[fkaksa]

Hi @tegioz,

Thank you very much for your response.

I fully understand the goals of Artifact Hub, and I believe you are doing an excellent job with the project.

That said, as you mentioned, we are likely to see an increasing number of organizations deploying Artifact Hub within their own infrastructure to host it for their customers—whether internal or external. For some companies, it’s crucial that customers cannot see each other's artifacts.
Currently, the only solution I see is deploying multiple instances of Artifact Hub, where Customer A accesses Artifact Hub A, and so on. Now, imagine having 100 customers; that would require 100 instances of Artifact Hub. Each instance would scrape artifacts from Artifactory (likely the same one), which would place significant pressure on Artifactory. The majority of artifacts would be common across customers, with perhaps only one or two being unique. Yet, due to these unique artifacts, new instances of Artifact Hub would need to be deployed.

I would appreciate it if you could consider this feature request. Perhaps tracking the number of "thumbs ups" from the community over time could help determine whether there is enough demand for this functionality.

Thanks for understanding :)

[tegioz]

Thanks @fkaksa 🙂

This is indeed an interesting idea and would probably be a nice feature, I agree. So it's likely that there will be more demand for it over time. However, IMHO this seems more like a purely business oriented feature, something that would benefit a very small fraction of the artifacthub.io deployment users.

Like most open source projects, we have limited resources. We need to be very careful about what we focus on, to make sure the time invested on Artifact Hub benefits a large number of publishers and users. We'd like to keep Artifact Hub as simple as possible, as increasing its complexity will complicate the sustainability of its maintenance. That's why we need to make sure that new features really align with our goals 😇