diff --git a/data/registry_model/datatypes.py b/data/registry_model/datatypes.py
index 78f038479..93c81a448 100644
--- a/data/registry_model/datatypes.py
+++ b/data/registry_model/datatypes.py
@@ -47,6 +47,15 @@ class RepositoryReference(datatype('Repository', [])):
 
     return model.repository.is_repository_public(self._repository_obj)
 
+  @property
+  def trust_enabled(self):
+    """ Returns whether trust is enabled in this repository. """
+    repository = self._repository_obj
+    if repository is None:
+      return None
+
+    return repository.trust_enabled
+
   @property
   def id(self):
     """ Returns the database ID of the repository. """
diff --git a/endpoints/v2/__init__.py b/endpoints/v2/__init__.py
index 520dd2e07..d20ad76df 100644
--- a/endpoints/v2/__init__.py
+++ b/endpoints/v2/__init__.py
@@ -15,9 +15,9 @@ from auth.auth_context import get_authenticated_context
 from auth.permissions import (
   ReadRepositoryPermission, ModifyRepositoryPermission, AdministerRepositoryPermission)
 from auth.registry_jwt_auth import process_registry_jwt_auth, get_auth_headers
+from data.registry_model import registry_model
 from endpoints.decorators import anon_protect, anon_allowed, route_show_if
 from endpoints.v2.errors import V2RegistryException, Unauthorized, Unsupported, NameUnknown
-from endpoints.v2.models_pre_oci import data_model as model
 from util.http import abort
 from util.metrics.metricqueue import time_blueprint
 from util.registry.dockerver import docker_version
@@ -98,15 +98,15 @@ def _require_repo_permission(permission_class, scopes=None, allow_public=False):
 
       repository = namespace_name + '/' + repo_name
       if allow_public:
-        repo = model.get_repository(namespace_name, repo_name)
-        if repo is None or not repo.is_public:
+        repository_ref = registry_model.lookup_repository(namespace_name, repo_name)
+        if repository_ref is None or not repository_ref.is_public:
           raise Unauthorized(repository=repository, scopes=scopes)
 
-        if repo.kind != 'image':
-          msg = 'This repository is for managing %s resources and not container images.' % repo.kind
+        if repository_ref.kind != 'image':
+          msg = 'This repository is for managing %s and not container images.' % repository_ref.kind
           raise Unsupported(detail=msg)
 
-        if repo.is_public:
+        if repository_ref.is_public:
           return func(namespace_name, repo_name, *args, **kwargs)
 
       raise Unauthorized(repository=repository, scopes=scopes)
diff --git a/endpoints/v2/v2auth.py b/endpoints/v2/v2auth.py
index bceb14e55..9cb80371c 100644
--- a/endpoints/v2/v2auth.py
+++ b/endpoints/v2/v2auth.py
@@ -11,11 +11,12 @@ from auth.auth_context import get_authenticated_context, get_authenticated_user
 from auth.decorators import process_basic_auth
 from auth.permissions import (ModifyRepositoryPermission, ReadRepositoryPermission,
                               CreateRepositoryPermission, AdministerRepositoryPermission)
+from data import model
+from data.registry_model import registry_model
 from endpoints.decorators import anon_protect
 from endpoints.v2 import v2_bp
 from endpoints.v2.errors import (InvalidLogin, NameInvalid, InvalidRequest, Unsupported,
                                  Unauthorized, NamespaceDisabled)
-from endpoints.v2.models_pre_oci import data_model as model
 from util.cache import no_cache
 from util.names import parse_namespace_repository, REPOSITORY_NAME_REGEX
 from util.security.registry_jwt import (generate_bearer_token, build_context_and_subject,
@@ -117,11 +118,11 @@ def _get_scope_regex():
   return re.compile(scope_regex_string)
 
 
-def _get_tuf_root(repo, namespace, reponame):
-  if not features.SIGNING or repo is None or not repo.trust_enabled:
+def _get_tuf_root(repository_ref, namespace, reponame):
+  if not features.SIGNING or repository_ref is None or not repository_ref.trust_enabled:
     return DISABLED_TUF_ROOT
 
-  # Users with write access to a repo will see signer-rooted TUF metadata
+  # Users with write access to a repository will see signer-rooted TUF metadata
   if ModifyRepositoryPermission(namespace, reponame).can():
     return SIGNER_TUF_ROOT
   return QUAY_TUF_ROOT
@@ -162,18 +163,18 @@ def _authorize_or_downscope_request(scope_param, has_valid_auth_context):
     raise NameInvalid(message='Invalid repository name: %s' % namespace_and_repo)
 
   # Ensure the namespace is enabled.
-  if not model.is_namespace_enabled(namespace):
+  if not registry_model.is_namespace_enabled(namespace):
     msg = 'Namespace %s has been disabled. Please contact a system administrator.' % namespace
     raise NamespaceDisabled(message=msg)
 
   final_actions = []
 
-  repo = model.get_repository(namespace, reponame)
-  repo_is_public = repo is not None and repo.is_public
+  repository_ref = registry_model.lookup_repository(namespace, reponame)
+  repo_is_public = repository_ref is not None and repository_ref.is_public
   invalid_repo_message = ''
-  if repo is not None and repo.kind != 'image':
+  if repository_ref is not None and repository_ref.kind != 'image':
     invalid_repo_message = ((
-      'This repository is for managing %s resources ' + 'and not container images.') % repo.kind)
+      'This repository is for managing %s ' + 'and not container images.') % repository_ref.kind)
 
   if 'push' in actions:
     # Check if there is a valid user or token, as otherwise the repository cannot be
@@ -181,9 +182,9 @@ def _authorize_or_downscope_request(scope_param, has_valid_auth_context):
     if has_valid_auth_context:
       # Lookup the repository. If it exists, make sure the entity has modify
       # permission. Otherwise, make sure the entity has create permission.
-      if repo:
+      if repository_ref:
         if ModifyRepositoryPermission(namespace, reponame).can():
-          if repo.kind != 'image':
+          if repository_ref.kind != 'image':
             raise Unsupported(message=invalid_repo_message)
 
           final_actions.append('push')
@@ -193,7 +194,7 @@ def _authorize_or_downscope_request(scope_param, has_valid_auth_context):
         user = get_authenticated_user()
         if CreateRepositoryPermission(namespace).can() and user is not None:
           logger.debug('Creating repository: %s/%s', namespace, reponame)
-          model.create_repository(namespace, reponame, user)
+          model.repository.create_repository(namespace, reponame, user)
           final_actions.append('push')
         else:
           logger.debug('No permission to create repository %s/%s', namespace, reponame)
@@ -201,7 +202,7 @@ def _authorize_or_downscope_request(scope_param, has_valid_auth_context):
   if 'pull' in actions:
     # Grant pull if the user can read the repo or it is public.
     if ReadRepositoryPermission(namespace, reponame).can() or repo_is_public:
-      if repo is not None and repo.kind != 'image':
+      if repository_ref is not None and repository_ref.kind != 'image':
         raise Unsupported(message=invalid_repo_message)
 
       final_actions.append('pull')
@@ -211,7 +212,7 @@ def _authorize_or_downscope_request(scope_param, has_valid_auth_context):
   if '*' in actions:
     # Grant * user is admin
     if AdministerRepositoryPermission(namespace, reponame).can():
-      if repo is not None and repo.kind != 'image':
+      if repository_ref is not None and repository_ref.kind != 'image':
         raise Unsupported(message=invalid_repo_message)
 
       final_actions.append('*')
@@ -220,4 +221,4 @@ def _authorize_or_downscope_request(scope_param, has_valid_auth_context):
 
   return scopeResult(actions=final_actions, namespace=namespace, repository=reponame,
                      registry_and_repo=registry_and_repo,
-                     tuf_root=_get_tuf_root(repo, namespace, reponame))
+                     tuf_root=_get_tuf_root(repository_ref, namespace, reponame))