Harbor: how to push image not use text passwords

admin user should have read/write access to all projects. Can you use 'admin' to push images to harbor ?

I want to use admin, but docker login need to text password. Other user could known my admin password.where have a token from admin user,that I can use this token push image?

@yugongpeng are you saying you want a token to push image only but not do anything on the web UI?

It's a matter of fine grained access control, per my understanding you want a token that can push image but not for calling any API, so you are essentially asking for a role that can push image only, but unfortunately here's no such role in Harbor.

you are right , I want a token for push image from cicd platform.But.I want not to use harbor admin text user and password.Because ci-cd platform and harbor is independent two platforms.

We would be interested in the concept of push tokens as well. There's a few open issues for "mixed mode" authentication already (See #698 and #1323) but I like this solution better. I'd imagine being able to create push tokens at the project and repo level. This would be extremely useful for CI where you want people to only be able to push to repos they own from CI (rather than using a shared service account like the builtin admin or one from LDAP).

@nlowe Thanks for the input I like the idea to create tokens on project level, so I imagine the flow will be:

Project Admin to create the token, then update config.json with this token and the docker host and do pull/push with this token until it's revoked by Project Admin?
So this token will be used to pull/push only and nothing else.

Sort of, yeah. Although I think it would be easier for most CI systems if we can get UN/PW pair that we can docker login from (for example, using with the Jenkins withDockerRegistry step) instead of having to update the config.json on the host.

Yes, I see this as push/pull only.

I like the idea. 👍 Contributions welcome, else we'll keep open to track.

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

Please keep this open.

Ideally the authentication should work like GitLab's personal access token https://docs.gitlab.com/ee/user/profile/personal_access_tokens.html
And deploy tokens on a project level. https://docs.gitlab.com/ee/user/project/deploy_tokens/#creating-a-deploy-token

1) This would allow users to not share their personal authentication that can come from LDAP providers ad might change.
2) It would also allow a projects workflow to continue and not be contingent on a personal user account to pull images from if the project is not public.

@paulbadcock Users of Gitlab can use Gitlab Token Auth with Harbor. So you don't need to define access tokens. In .gitlab-ci.yml you use something like docker login -u gitlab-ci-token -p $CI_BUILD_TOKEN registry.example.com where registry.example.com is you Harbor installation. This works like a charm and doesn't interfer with your LDAP settings.

@CrystalMethod Ah thanks, I think my comment on this issue will also be solved by robot support in 1.8.0 roadmap also!

Access Token / Robot Account has the charm that you can push different images from one Gitlab project into the registry. Otherwise, Gitlab assumes that one source project corresponds to exactly one image. So, yes, I think support for both use cases make sense and should co-exist:

• Access Token / Robot Account
• Gitlab as Registry Token Auth

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.