Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Token specific to project #6201

Closed
jakirpatel opened this issue Nov 2, 2018 · 10 comments
Closed

Token specific to project #6201

jakirpatel opened this issue Nov 2, 2018 · 10 comments
Assignees
@reasonerjt
Labels
backlog

Comments

@jakirpatel
Copy link

Is your feature request related to a problem? Please describe.
Yes. We do have the LDAP in place. The current relationship between harbor and teams is differentiated through projects in the harbor.So one team is having N number of mailing lists and we have assigned the one project --> one team.

Our problem:

Teams don't have common accounts. So either we should be dependent on username/password in LDAP of some member which is not a feasible way to do automation.

Describe the solution you'd like
There is the concept called as bot-accounts. In my opinion for reliable CI/CD automation, there should be token specific to the project. The lifecycle of the project can be managed by the Harbor admin and project admin.

Also, it will be really helpful if the token can be assigned with the current role like admin, developer, and guest.

Any thoughts about this?
@reasonerjt reasonerjt self-assigned this Nov 2, 2018
@reasonerjt
Copy link
Contributor

For automation or CI integration, do you only want the bot-accounts do push/pull, or any other manage API calls.

We did have some feedback requiring the bot account, but it's mainly focusing on push/pull actions, if the token is introduced, but it can only do push and pull with that token, will it satisfy your scenario?

@jakirpatel
Copy link
Author

jakirpatel commented Nov 2, 2018
edited
Loading

@reasonerjt

Thanks for your reply. We may require the other API calls too. For example, let's look our approach of Automation specific to harbor (Prod):

  1. Create the project (for the first time)
  2. Create the LDAP group.
  3. Assign LDAP group to the project.
  4. Build the docker image
  5. Push to harbor
  6. Add the label to the image (example: Prod)
  7. Scan the image (Optional)

Right now we are doing this with the Harbor admin through our CI. But it may be a potential risk if the someone exposes the token.

We want the teams will have more authority to configure their own projects. Also, we do have the worker in place which is doing the deletion of the images with some specific rules.

Please share your opinions.

@jakirpatel
Copy link
Author

For automation or CI integration, do you only want the bot-accounts do push/pull, or any other manage API calls.

We did have some feedback requiring the bot account, but it's mainly focusing on push/pull actions, if the token is introduced, but it can only do push and pull with that token, will it satisfy your scenario?

But even I think this approach can also work. For push and pull at least..

@reasonerjt
Copy link
Contributor

@jakirpatel

Thanks for your reply. We may require the other API calls too. For example, let's look our approach of Automation specific to harbor (Prod):

  1. Create the project (for the first time)
  2. Create the LDAP group.
  3. Assign LDAP group to the project.
  4. Build the docker image
  5. Push to harbor
  6. Add the label to the image (example: Prod)
  7. Scan the image (Optional)

Right now we are doing this with the Harbor admin through our CI. But it may be a potential risk if the someone exposes the token.

We want the teams will have more authority to configure their own projects. Also, we do have the worker in place which is doing the deletion of the images with some specific rules.

Please share your opinions.

This ask is essentially customisable fine-grained permission control over API, this is a valid scenario, but requires heavy refactory that may not happen very soon.
Provide bot-account for push/pull seems a lower hangin fruit though.

@jakirpatel
Copy link
Author

@reasonerjt

Even I think in any case is it possible to have the combination of DB account and LDAP Account ?

Like if I can create the DB account and if we can set the relationship of the DB account in postgres itself.

What you think about this ? I am curious the admin account itself is DB Account.

@reasonerjt
Copy link
Contributor

reasonerjt commented Nov 2, 2018
edited
Loading

I understand you want to avoid setting credentials of LDAP in your automation scripts/tools.
However, comparing to bot-account, it's another story to provide combination of DB + LDAP user. Esp. if we think about the migration of current users.
But I think we'll consolidate the requirements when providing a solution for bot-accounts or integration-account, etc.

@jakirpatel
Copy link
Author

jakirpatel commented Nov 2, 2018
edited
Loading

@reasonerjt

The major security risk we are facing now that in Kubernetes we are providing the secret which is created by the admin username and password. Which is ultimately not a good practice.

Talking about the token I am okay if I 'll get the token for only push or pull to a specific project. Will it be possible with respect to the project?

@ghost
Copy link

ghost commented Nov 2, 2018

I think this can be done. Is this something you're willing to contribute @jakirpatel ? If not we'll work on adding it to the roadmap.

@jakirpatel
Copy link
Author

jakirpatel commented Nov 5, 2018
edited
Loading

@clouderati

Happy to contribute if possible... For time being could you please add to the roadmap? I'll pick it ASAP when I get the time for it...

@reasonerjt
Copy link
Contributor

The robot account will be part of 1.8.0:
#6565

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@reasonerjt reasonerjt

Labels
backlog
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@reasonerjt @jakirpatel