==============================
Controlling access to packages
==============================

.. contents::
   :local:
   :depth: 1


By default, all packages, notebooks and environments uploaded to
Repository are public, meaning they are accessible to anyone who
has access to Repository.

When you :ref:`make a package private <repo-make-pkg-private>`,
only you and the users you authorize can access it.

You can authorize users to access your private package in two
ways:

* :ref:`Use a group <repo-access-by-group>` inside an
  organization account---only group members who are logged in can
  access the package. This is the best way to control
  access to your private packages because it allows you
  to set separate permissions for each package, notebook or
  environment.

* :ref:`Use a token control system <repo-access-by-token>`---only
  users who have the appropriate :ref:`token
  <repo-glossary-token>` can access the private package or
  channel.

After you grant other users access, they can :doc:`download and
install <download-install-pkg>` your package using the Web UI or
Client.


.. _repo-make-pkg-private:

Making a package private
========================

#. In the Web UI, in the **Tools** menu, select Packages.

#. OPTIONAL: If the packages you are looking for are not visible,
   under Filters, in the Type list, select All.

#. Select the checkbox next to each package you want to make
   private.

#. Click the **Settings** tab, and then click the **Admin** tab
   in the sidebar.

   NOTE: You can also reach this page at the following URL::

     https://<your-anaconda-repo>/USERNAME/PACKAGE/settings/admin

   Replace ``<your-anaconda-repo>`` with the name of your local
   Repository, ``USERNAME`` with your username and ``PACKAGE``
   with the name of the package.

#. Click Set access, then select Private.

NOTE: You can use the same procedure and URL to make Jupyter
Notebooks and conda environments private.


.. _repo-access-by-group:

Using groups to allow access to private packages
================================================

#. :ref:`Create an organization <repo-creating-orgs>`.

#. :ref:`Upload <repo-org-upload-pkg>` or :ref:`transfer
   <repo-org-transfer-pkg>` the package to the organization.

#. Within the organization, :ref:`create a group
   <repo-org-groups-access>` with the appropriate users,
   permissions, and packages.


.. _repo-access-by-token:

Creating a token to allow access to a private package or channel
================================================================

You can control access to private packages and channels with the
:ref:`token <repo-glossary-token>` system. All Repository URLs
can be prefixed with ``/t/<token>`` to allow access.

The degree of access a token grants is completely configurable
when you generate it. You can generate multiple tokens to
control which groups of users have access to certain features
if they have the appropriate token.

Tokens provide access to all packages in a specified
channel. Separate permissions per package, notebook or environment
may be better handled with :ref:`organizations and groups
<repo-access-by-group>`.

You can generate tokens using the Web UI or Anaconda Client.

NOTE: By default, tokens expire after one year.


Generating a token in the Web UI
--------------------------------

#. Navigate to::

     https://<your-anaconda-repo>/<channel>/settings/access

   NOTE: Replace ``<your-anaconda-repo>`` with the name of your
   local Repository, and ``<channel>`` with the name of the desired
   channel.

#. In the Token Name box, type a name for the token:

   .. figure:: /img/repo-tokens.png

      ..

   |

#. Select the appropriate checkboxes for the type of access you
   want to allow for users of this token.

   EXAMPLE: To allow users to download private packages or
   packages from private channels, select Allow private
   downloads from Conda repositories.

#. Click the Create button.


Generating a token with Client
-------------------------------

#. In a Client Terminal window or Anaconda Prompt, run::

     anaconda auth --create --name YOUR-TOKEN-NAME --scopes repos conda:download'



   NOTE: Replace ``YOUR-TOKEN-NAME`` with a name for the new
   token.

   Provide scopes as a space-separated, quoted list. The token
   produced by the above command provides access to download any
   of your private conda repositories. The available scopes are:

   * ``all``: Allow all operations.

   * ``api``: Allow all API operations.

   * ``api:modify-group``: Allow addition and modification of groups.

   * ``api:read``: Allow read access to the API site.

   * ``api:write``: Allow write access to the API site.

   * ``conda``: Allow all operations on conda repositories.

   * ``conda:download``: Allow private downloads from conda repositories.

   * ``pypi``: Allow all operations on PyPI repositories.

   * ``pypi:download``: Allow private downloads from PyPI repositories.

   * ``pypi:upload``: Allow uploads to PyPI repositories.

   * ``repos``: Allow access to all package repositories.

#. You can enable the token with the ``conda config`` command::

     conda config --add channels https://conda.anaconda.org/t/<token>/<channel>

   Or to add a channel with a token and label::
   
     conda config --add channels https://conda.anaconda.org/t/<token>/<channel>/label/<labelname>

   NOTE: Replace ``<token>`` with your token string,``<channel>`` with the
   desired channel name, and ``<labelname>`` with the label name.

   NOTE: If you lose the token's random alphanumeric string, you
   must :ref:`revoke the token <repo-accounts-revoke-token>` and
   create a new one.

Using a token
=============

The token can be used to:

* Add a channel from which to install private packages::

    conda config --add channels https://conda.<your-anaconda-repo>/t/<token>/<channel>



  NOTE: Replace ``<your-anaconda-repo>`` with the name of your
  local Repository, ``<token>`` with the provided token and
  ``<channel>`` with a user channel.

* Install a private package without first adding a channel::

    conda install -c https://conda.<your-anaconda-repo>/t/<token>/<channel> <package>

  To install a package from a channel using a token and a label name::

    conda install -c https://conda.<your-anaconda-repo>/t/<token>/<channel>/label/<labelname> <package>

  NOTE: Replace ``<your-anaconda-repo>`` with the name of your local
  Repository, ``<token>`` with the provided token, ``<channel>`` with a user
  channel, ``<labelname>`` with the label name and ``<package>`` with the
  name of the package to install.

* Install a private PyPI package::

    pip install --index-url https://pypi.<your-anaconda-repo>/t/<token>/<channel>/PACKAGE



  NOTE: Replace ``<your-anaconda-repo>`` with the name of your
  local Repository, ``<token>`` with the provided token,
  ``<channel>`` with a user channel and ``PACKAGE`` with the
  name of the desired package.

  NOTE: Private PyPI packages can also be installed using::

    https://pypi.<your-anaconda-repo>/t/<token>/<channel>


.. _repo-accounts-revoke-token:

Revoking a token
=================

You can revoke tokens using the Web UI or Client.

To revoke a token using the Web UI, from the far-right drop-down menu,
select My Settings, then from the left navigation select Access.

At the bottom of the page, you will see a list of all tokens you have
generated. Click the name of the token you want to revoke, then in the
dialog box that appears, click the Revoke Token button.

Or to revoke a token using Client, run::

  anaconda auth -r YOUR-TOKEN-NAME

NOTE: Replace ``YOUR-TOKEN-NAME`` with the name of the token
you want to revoke.
