Harbor: Disabling admin user when using OIDC authentication
Hi. I want to disable ability to login in any way except OIDC. That's includes default admin account.
It would be preferable to completely disable default login form but a way to disable admin account should suffice too.
usualstuff
All 11 comments
Not a very valid requirement to me.
What's the purpose of this?
Have you considered if the OIDC endpoint is down, or the dns name changed, how you gonna make such change if the admin is completely disabled?
reasonerjt
on 7 Sep 2019
@xaleeks let me know your thoughts.
reasonerjt
on 7 Sep 2019
Well if my OIDC endpoint is down I will have a much bigger problem than just a broken registry :)
But I get your point. Maybe then this change could be implemented as a configuration flag so I can revert that in case of some disasters?
It's for a security reasons. I want to have a single source of truth about my users.
Also thank you for a quick response.
usualstuff
on 7 Sep 2019
I'm not sure I understand, can you give an example of where it introduces non single version of truth and how this prevents it @usualstuff
xaleeks
on 20 Sep 2019
Hi @xaleeks.
Basically right now I have two source of users to login:
- harbor database which contains only root user
- my OIDC database
I want harbor to only use OIDC so I don't have to manage separate credentials and monitor\audit another login endpoint.
If I'm able to disable or delete this user I will have only one source of harbor users.
For a reference you could look at gitlab. For them root user is just another user like everyone else and can be deleted or disabled. In case of some disaster it could be recreated from ruby cli.
usualstuff
on 20 Sep 2019
@xaleeks the admin user is kind of vulnerability since it has admin privileges.
Any deployment will have to have to set up credentials management system, and rotation.
I am also guessing this does not have alerts for login or MFA, so if some attacker manages to guess using brute force the admin password, then Harbor will be compromised.
svyotov
on 18 Feb 2020
@reasonerjt has there been any more discussion on this? This is a very valid security concern.
jeff-mccoy
on 19 Aug 2020
Agree on this security concern, pls consider the enterprise level of cyber security requirements. A basic account should not be allowed for a production instance.
cafeliker
on 28 Aug 2020
Same here, it would be nice to have a config flag disabling basic auth.
rochaporto
on 27 Oct 2020
Hello.
This came as a requirement for our use case also.
What can we do to speed this up? Are there any implementation thoughts on this?
MrD2
on 27 Oct 2020
recently seeing variations of this more in govt. customers as well, we can discuss it for the next release
xaleeks
on 19 Nov 2020
Related issues
272909106
路
4Comments
xiaosadexiaohai
路
3Comments
pingcrosby
路
3Comments
levchik
路
4Comments
cedvan
路
3Comments
Most helpful comment
@xaleeks the admin user is kind of vulnerability since it has admin privileges.
Any deployment will have to have to set up credentials management system, and rotation.
I am also guessing this does not have alerts for login or MFA, so if some attacker manages to guess using brute force the admin password, then Harbor will be compromised.