add proposal of robot account enhancement #148
Conversation
wy65701436
force-pushed
the
robot-account-2
branch
5 times, most recently
from
0fbc7b2
to
dc2b845
Compare
wy65701436
force-pushed
the
robot-account-2
branch
2 times, most recently
from
78136c9
to
8325f58
Compare
Signed-off-by: wang yan <wangyan@vmware.com>
wy65701436
force-pushed
the
robot-account-2
branch
from
8325f58
to
ff21c73
Compare
proposals/new/Robot-Account-2.md
Outdated
| 2. As a system admin, I can edit a system level robot account to enhance/reduce the access scope. | ||
| 3. As a system admin, I can edit a system level robot account to enhance/reduce the project scope. | ||
| 4. As a system admin, I can extend the expiration data of a system level robot account. | ||
| 5. As a system admin, I can view the token of a system level robot account and refresh the token. |
There was a problem hiding this comment.
I recall there's requirement to edit the token, for example I can set the password of a robot account to passw0rd
| Robot Account is a System Administrator and Project Administrator operation in Harbor. | ||
|
|
||
| * User Stories | ||
|
|
There was a problem hiding this comment.
There's also requirement not forcing the user to use robot$xxxx as username?
proposals/new/Robot-Account-2.md
Outdated
| /* | ||
| permissions string used as the access scope. | ||
| */ | ||
| permissions varchar(1024), |
There was a problem hiding this comment.
can we extract the scope to another table?
In future we may associate such scopes with a customized role or access token that maybe shared by different Harbor instances.
proposals/new/Robot-Account-2.md
Outdated
| /* | ||
| permissions string used as the access scope. | ||
| */ | ||
| permissions varchar(1024), |
There was a problem hiding this comment.
What if the permission conflicts with the project id?
wy65701436
force-pushed
the
robot-account-2
branch
from
4982ee1
to
d3acda2
Compare
Signed-off-by: wang yan <wangyan@vmware.com>
wy65701436
force-pushed
the
robot-account-2
branch
from
d3acda2
to
fced79c
Compare
wy65701436
force-pushed
the
robot-account-2
branch
2 times, most recently
from
a748d56
to
9a2a7a9
Compare
Signed-off-by: wang yan <wangyan@vmware.com>
wy65701436
force-pushed
the
robot-account-2
branch
from
9a2a7a9
to
90cefff
Compare
|
I just created the issue goharbor/harbor#13384. I am not sure why the robot user cannot currently be used to pull-replicate private projects, but I guess it has something to do with the |
|
|
||
| ## Abstract | ||
|
|
||
| Robot account limited into one specific project, it cannot access multiple projects. |
There was a problem hiding this comment.
@wy65701436 Would it be possible to grant permissions to access registry catalog /v2/_catalog for such new robot account?
| secret string used as the password of robot account. | ||
| For v2.2, it stores the secret. | ||
| */ | ||
| secret varchar(2048), |
There was a problem hiding this comment.
Please make sure this is hash, not plain text.
| * (P1)Whether to provide Kubernetes pull secret for the robot account. | ||
| * (P1)Whether to provide Docker credentials config for the robot account. | ||
|
|
||
| ## Security Concern |
There was a problem hiding this comment.
Please update the proposal to conclude how these concerns are addressed.
|
Is this coming with v2.2.0 |
@mrd2 join tomorrow the community meeting at 14:00 CEST I’ll being that topic up. As we need that as well |
No description provided.