Restricted users

Goal: Enable user role that involves membership in multiple organizations but without the ability to create content on their own.

Background: Customers in highly regulated environments have a desire to selectively enable users to access existing content. At the same time they want to avoid permitting creating additional content in other organizations or entirely new organisations. This is not possible today because in Quay's current data model all users have a "home" organization by default and also have the permission to create new organizations. In both cases repositories can be created at will which is undesireable.

Why is this important: One use case here is that software build systems and CD pipelines need access to multiple organizations in Quay at once in order to carry out artifact creation and application deployment. While there are ways to give these systems multiple credentials to various Quay organizations (PROJQUAY-1435) this adds maintenance overhead and does not scale well. Since robot tokens are conceptually tied to a single organization, the only way to have seamless access across Quay organization with a single set of credentials is a Quay user.
The other use case is found in highly regulated environments, where strict access control needs to applied at the user level and content creation rights must be controlled separately from content access rights. In essence, in environments like the banking industry, only a selected set of users is able to create new content in Quay, while a larger set of users is allowed to access this content but not manipulate or create net-new content.

Expected deliverables:

• a user can be configured so that they have no permission to create their own organizations but only get access to the existing organizations they are a member of
• a user can be configured so that they have no permission to create content in their  "home" organizations" but only get to collaborate in the existing organizations they are a member of
• an LDAP group can be configured to explicitly deny users users from being able able to create new organizations so that users don't have to configured individually

Optional deliverables:

• a user can be configured to have read/write permissions at the organization level, automatically inherited to any repository in the organization
• a configuration option exists that prevents users from creating new organizations globally unless an admin selectively enables it for a user
• an LDAP group can be configured to explicitly allow users to be able to create new organizations so that users don't have to configured individually if above global policy is in place

Open Questions:

• is it potentially enough to tie permissions to prevent additional organizations from being created to a user and LDAP group and not deliver a registry-wide option to disable org creation, unless specifically granted? If LDAP is used users cannot create an account or login if they are not part of the LDAP tree