Harbor: User password management & length

Created on 16 May 2016  路  10Comments  路  Source: goharbor/harbor

There doesn't seem to be an interface to change the user's password as admin and if you delete the user to recreate it, system will say user exists!
This breaks user management when passwords need to be changed. :(

Secondly, the passwords seem to be limited to a short 20 characters...
Any reason why it couldn't be say 63 or 255?

cheers!

staled
Source
picture RRAlex
👍1

Most helpful comment

The ability for the admin to reset a user password is essential in at least the following situation:

  • no LDAP
  • no mail server
  • user has forgotten his password

But also in the following situation:

  • no LDAP
  • mail server
  • user has changed email address, and forgotten his password
picture bergtwvd on 9 Sep 2016
👍3

All 10 comments

@RRAlex
Currently for audit purpose, when admin delete a user, the user is just "soft deleted", i.e. user with the same username can not be created again.

So you want to enable admin to update a user's password so the username can be re-used?

reasonerjt picture reasonerjt on 17 May 2016

So deleting a user would also delete its activity log?

But yes, indeed, simply being able to update a user's password would be sufficient.
This would allow anyone to re-purpose an account: be it to rotate admins creds., correct a mistake, respect password change policy, etc.
And it's much more practical then going into MySQL to delete it manually and re-create / re-attribute the role everywhere, which is management hell and, well, bad UX.

thanks! :-)

RRAlex picture RRAlex on 17 May 2016

So deleting a user would also delete its activity log?

Currently activitly log is associate to user table via a Foreign Key, I know this is debatable, but we may use the term to "Disable" a user, not Delete.

As for enabling admin to update password, the original idea is no one should know any other's password including admin, but it makes sense to me when you mention password change policy, we'll consider implement it.

reasonerjt picture reasonerjt on 18 May 2016

@reasonerjt What about the second question @RRAlex raised, the password length? It seems to be restricted to max 20 chars. Is this on purpose? And if so, why?

fuhbar picture fuhbar on 26 Jul 2016
👍2

The ability for the admin to reset a user password is essential in at least the following situation:

  • no LDAP
  • no mail server
  • user has forgotten his password

But also in the following situation:

  • no LDAP
  • mail server
  • user has changed email address, and forgotten his password
bergtwvd picture bergtwvd on 9 Sep 2016
👍3

Yeah I would love if we could reset passwords via the web ui..., too

tronicum picture tronicum on 19 Sep 2016
👍2

It would be nice to have the length restriction presented to the user when setting the password

bengadbois picture bengadbois on 31 Jan 2017

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] picture stale[bot] on 7 Oct 2018

Now Admin can update password of a regular user, closing.

reasonerjt picture reasonerjt on 9 Oct 2018
👍1

@reasonerjt What about the rather restrictive password length?

phenomax picture phenomax on 18 Jul 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

levchik picture levchik  路  4Comments
adomenech73 picture adomenech73  路  3Comments
andrewtchin picture andrewtchin  路  3Comments
reasonerjt picture reasonerjt  路  3Comments
a-kinder picture a-kinder  路  3Comments