-
Notifications
You must be signed in to change notification settings - Fork 78
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add proposal of robot account enhancement #148
Conversation
0fbc7b2
to
dc2b845
Compare
78136c9
to
8325f58
Compare
Signed-off-by: wang yan <wangyan@vmware.com>
8325f58
to
ff21c73
Compare
proposals/new/Robot-Account-2.md
Outdated
2. As a system admin, I can edit a system level robot account to enhance/reduce the access scope. | ||
3. As a system admin, I can edit a system level robot account to enhance/reduce the project scope. | ||
4. As a system admin, I can extend the expiration data of a system level robot account. | ||
5. As a system admin, I can view the token of a system level robot account and refresh the token. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I recall there's requirement to edit
the token, for example I can set the password of a robot account to passw0rd
Robot Account is a System Administrator and Project Administrator operation in Harbor. | ||
|
||
* User Stories | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There's also requirement not forcing the user to use robot$xxxx
as username?
proposals/new/Robot-Account-2.md
Outdated
/* | ||
permissions string used as the access scope. | ||
*/ | ||
permissions varchar(1024), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can we extract the scope to another table?
In future we may associate such scopes with a customized role or access token that maybe shared by different Harbor instances.
proposals/new/Robot-Account-2.md
Outdated
/* | ||
permissions string used as the access scope. | ||
*/ | ||
permissions varchar(1024), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What if the permission conflicts with the project id?
4982ee1
to
d3acda2
Compare
Signed-off-by: wang yan <wangyan@vmware.com>
d3acda2
to
fced79c
Compare
a748d56
to
9a2a7a9
Compare
Signed-off-by: wang yan <wangyan@vmware.com>
9a2a7a9
to
90cefff
Compare
I just created the issue goharbor/harbor#13384. I am not sure why the robot user cannot currently be used to pull-replicate private projects, but I guess it has something to do with the |
|
||
## Abstract | ||
|
||
Robot account limited into one specific project, it cannot access multiple projects. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@wy65701436 Would it be possible to grant permissions to access registry catalog /v2/_catalog for such new robot account?
secret string used as the password of robot account. | ||
For v2.2, it stores the secret. | ||
*/ | ||
secret varchar(2048), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please make sure this is hash, not plain text.
* (P1)Whether to provide Kubernetes pull secret for the robot account. | ||
* (P1)Whether to provide Docker credentials config for the robot account. | ||
|
||
## Security Concern |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please update the proposal to conclude how these concerns are addressed.
Is this coming with v2.2.0 |
@mrd2 join tomorrow the community meeting at 14:00 CEST I’ll being that topic up. As we need that as well |
No description provided.