Harbor: permission control and integrate with keycloak

Created on 20 Nov 2018  路  8Comments  路  Source: goharbor/harbor

Is your feature request related to a problem? Please describe.

I am in corporate environment. I am infra manager, deploy harbor, and users can use this.
I want scenario like
user can login using ldap if then, can pull every images.
only admin and few people can push images.

But now,
user who login first time in harbor can not pull image from certain project.
because user id is registered after user login first,
after then admin should set user to member.

so now I configured all projects are public.
(I think there's no easy way.)

This is related with #5447, please consider adding in 1.7.0

and one more thing,
I think how about integrated with keycloak (IAM tool, SAML, OpenID, OAuth, integrated LDAP).
keycloak is easy and popular open source SW for authenticating and managing permission these days I've heard.

Describe the solution you'd like

Describe the main design/architecture of your solution

Describe the development plan you've considered

Additional context

areauth-integration enhancement kinrequirement
Source
picture Hokwang
👍2

Most helpful comment

Keycloak will be supported starting in 1.10

picture xaleeks on 11 Oct 2019
👍6

All 8 comments

The integration with keycloack would be great.

andreiapostol22 picture andreiapostol22 on 20 Nov 2018
👍2

Thanks for the feedback. We currently have a proposal to integrate with dex.

Not too familiar with keycloak. Can anyone shed any light on the difference between the two projects (dex and keyclock) and how the flow described in the proposal would differ? From what I gather reading random links it appears they're both token issuers and identity providers that aim to accomplish the same thing, no?

ghost picture ghost on 20 Nov 2018

yes. openid connect would be the way to go for both which is what the linked PR does as far as I can see.

danielcb picture danielcb on 21 Nov 2018

Could you clarify how integration with 3rd party authentication, such as OIDC provider, solves the problem having to add user to a project to pull image?

Currently Harbor does not have the flexibility to define a custom role. Seems only "system admin" can meet the requirement in the OP?

reasonerjt picture reasonerjt on 28 Nov 2018

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] picture stale[bot] on 26 Feb 2019

I don't think it solves the problem of having to add a user to a specific project (after the first login). It just solves the problem of having to manage users/credentials locally in harbor and allows for better integration using one of the available IAM providers that support openid connect (keycloak, dex, crowd, whatever).

edit:
it can of course also sync groups/roles if that's supported by harbor. So provided there's some kind of group/rbac system, it could solve the problem by automatically adding groups/roles to a user after the first login.

danielcb picture danielcb on 22 Mar 2019

Keycloak will be supported starting in 1.10

xaleeks picture xaleeks on 11 Oct 2019
👍6

this is now supported as of release 1.9

xaleeks picture xaleeks on 13 Dec 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

andrewtchin picture andrewtchin  路  3Comments
abououdine picture abououdine  路  3Comments
a-kinder picture a-kinder  路  3Comments
272909106 picture 272909106  路  4Comments
Poil picture Poil  路  3Comments