Controlling access to packages

By default, all packages, notebooks and environments uploaded to Repository are public, meaning they are accessible to anyone who has access to Repository.

When you make a package private, only you and the users you authorize can access it.

You can authorize users to access your private package in two ways:

  • Use a group inside an organization account—only group members who are logged in can access the package. This is the best way to control access to your private packages because it allows you to set separate permissions for each package, notebook or environment.
  • Use a token control system—only users who have the appropriate token can access the private package or channel.

After you grant other users access, they can download and install your package using the Web UI or Client.

Making a package private

  1. In the Web UI, in the Tools menu, select Packages.

  2. OPTIONAL: If the packages you are looking for are not visible, under Filters, in the Type list, select All.

  3. Select the checkbox next to each package you want to make private.

  4. Click the Settings tab, and then click the Admin tab in the sidebar.

    NOTE: You can also reach this page at the following URL:

    https://<your-anaconda-repo>/USERNAME/PACKAGE/settings/admin
    

    Replace <your-anaconda-repo> with the name of your local Repository, USERNAME with your username and PACKAGE with the name of the package.

  5. Click Set access, then select Private.

NOTE: You can use the same procedure and URL to make Jupyter Notebooks and conda environments private.

Using groups to allow access to private packages

  1. Create an organization.
  2. Upload or transfer the package to the organization.
  3. Within the organization, create a group with the appropriate users, permissions, and packages.

Creating a token to allow access to a private package or channel

You can control access to private packages and channels with the token system. All Repository URLs can be prefixed with /t/<token> to allow access.

The degree of access a token grants is completely configurable when you generate it. You can generate multiple tokens to control which groups of users have access to certain features if they have the appropriate token.

Tokens provide access to all packages in a specified channel. Separate permissions per package, notebook or environment may be better handled with organizations and groups.

You can generate tokens using the Web UI or Anaconda Client.

NOTE: By default, tokens expire after one year.

Generating a token in the Web UI

  1. Navigate to:

    https://<your-anaconda-repo>/<channel>/settings/access
    

    NOTE: Replace <your-anaconda-repo> with the name of your local Repository, and <channel> with the name of the desired channel.

  2. In the Token Name box, type a name for the token:

    ../../../../../_images/repo-tokens.png

  3. Select the appropriate checkboxes for the type of access you want to allow for users of this token.

    EXAMPLE: To allow users to download private packages or packages from private channels, select Allow private downloads from Conda repositories.

  4. Click the Create button.

Generating a token with Client

  1. In a Client Terminal window or Anaconda Prompt, run:

    anaconda auth --create --name YOUR-TOKEN-NAME --scopes repos conda:download'
    

    NOTE: Replace YOUR-TOKEN-NAME with a name for the new token.

    Provide scopes as a space-separated, quoted list. The token produced by the above command provides access to download any of your private conda repositories. The available scopes are:

    • all: Allow all operations.
    • api: Allow all API operations.
    • api:modify-group: Allow addition and modification of groups.
    • api:read: Allow read access to the API site.
    • api:write: Allow write access to the API site.
    • conda: Allow all operations on conda repositories.
    • conda:download: Allow private downloads from conda repositories.
    • pypi: Allow all operations on PyPI repositories.
    • pypi:download: Allow private downloads from PyPI repositories.
    • pypi:upload: Allow uploads to PyPI repositories.
    • repos: Allow access to all package repositories.
  2. You can enable the token with the conda config command:

    conda config --add channels https://conda.anaconda.org/t/<token>/<channel>
    

    Or to add a channel with a token and label:

    conda config --add channels https://conda.anaconda.org/t/<token>/<channel>/label/<labelname>
    

    NOTE: Replace <token> with your token string,``<channel>`` with the desired channel name, and <labelname> with the label name.

    NOTE: If you lose the token’s random alphanumeric string, you must revoke the token and create a new one.

Using a token

The token can be used to:

  • Add a channel from which to install private packages:

    conda config --add channels https://conda.<your-anaconda-repo>/t/<token>/<channel>
    

    NOTE: Replace <your-anaconda-repo> with the name of your local Repository, <token> with the provided token and <channel> with a user channel.

  • Install a private package without first adding a channel:

    conda install -c https://conda.<your-anaconda-repo>/t/<token>/<channel> <package>
    

    To install a package from a channel using a token and a label name:

    conda install -c https://conda.<your-anaconda-repo>/t/<token>/<channel>/label/<labelname> <package>
    

    NOTE: Replace <your-anaconda-repo> with the name of your local Repository, <token> with the provided token, <channel> with a user channel, <labelname> with the label name and <package> with the name of the package to install.

  • Install a private PyPI package:

    pip install --index-url https://pypi.<your-anaconda-repo>/t/<token>/<channel>/PACKAGE
    

    NOTE: Replace <your-anaconda-repo> with the name of your local Repository, <token> with the provided token, <channel> with a user channel and PACKAGE with the name of the desired package.

    NOTE: Private PyPI packages can also be installed using:

    https://pypi.<your-anaconda-repo>/t/<token>/<channel>
    

Revoking a token

You can revoke tokens using the Web UI or Client.

To revoke a token using the Web UI, from the far-right drop-down menu, select My Settings, then from the left navigation select Access.

At the bottom of the page, you will see a list of all tokens you have generated. Click the name of the token you want to revoke, then in the dialog box that appears, click the Revoke Token button.

Or to revoke a token using Client, run:

anaconda auth -r YOUR-TOKEN-NAME

NOTE: Replace YOUR-TOKEN-NAME with the name of the token you want to revoke.