Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Multiple Visibility Levels and enforcement Levels for Projects #242

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
89 changes: 89 additions & 0 deletions proposals/multiple-project-visibility-levels.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,89 @@
# Proposal: Multiple Visibility Levels and Control

Author: [Vadim Bauer](https://github.com/Vad1mo) - [8gears Container Registry](https://container-registry.com/)
Created time: 11 June 2024
Last updated:

## Abstract

This proposal extends Harbor with additional project visibility and permission levels, and upgrades the current public/private project visibility and access levels.
Copy link
Contributor

@wy65701436 wy65701436 Aug 1, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Generally, the document lacks of technical parts to let other maintainers know how to handle the newly introduced level?

The scheme changes? And the data migration?
The RBAC mode for the internal project?
API change?
Any downstream impact?

And also, could you add persona? user story?


Once this proposal is implemented, additional uses will become possible, which will be outlined in the proposal.

Furthermore, it also removes confusion about the consequences of the current visibility of public-private projects.

## Background

Currently, only two visibility options for projects exist.
Public and private projects are too limited and unsuitable for many use cases where Harbor is used in organizations.
This is also reflected in many issues and feature requests from the Harbor community.

Harbor has a wide popularity and recognition for its proxy and replication capabilities.
With this proposal, we can leverage the existing features and extend them to a wider audience and use cases.

Here are some related issues from the Harbor Community.
- https://github.com/goharbor/harbor/issues/10760
- https://github.com/goharbor/harbor/issues/12306
- https://github.com/goharbor/harbor/issues/5447
- https://github.com/goharbor/harbor/issues/12306

Similar Proposals:
- https://github.com/goharbor/community/pull/124


## Proposal

Extend the current public and private project visibility levels with additional options.

- **Private (Existing)**
Same behavior as the current private project visibility.
Only users and groups
that are explicitly added as members to the project to get access,
based on their access level.
- **Internal View Only**
All authenticated (hence authenticated)

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"hence authenticated", you mean authorized?

users can view and pull artifacts from this project.
But they are not allowed to pull any artifact from this project unless they are explicitly added as members to the project.
Comment on lines +45 to +46

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe a copy-pasta issue: In 44 you say "users can view and pull". Next line "But they are not allowed to pull".

- **Internal**
All authenticated users can view and pull artifacts from this project
- **Public View Only**
Unauthenticated Users without a Harbor account can view artifacts and artifacts in this project,
but they cannot pull artifacts, without being authenticated.
- **Public (Existing)**
Same behavior as the current project visibility. Users don’t need to have an account to pull artifacts from this project.


For reference, here are the visibility levels in GitLab for projects:
![img.png](./images/multiple-project-visibility-levels/ref_gitlab_visibility.levels.png)


### Project Level
On the project level, the project owner can set the visibility level of the project.

### System Level

On the system level, the system admin can set the maximum visibility level for new projects.
For example, If the maximum visibility level for new projects is set to "private", then newly created projects would have the visibility level "private" and the project admin would not be able to change it.

A system admin can change the visibility level for projects regardless of the system-level setting.

### Internal Project
Internal projects are a bit special in terms of internal visibility accessibility.
On the one hand,
we want the internal projects
to be visible and accessible inside the organization, but private to the outside.
The same would apply to pulling artifacts,
internally without a pull secret and externally just like a private project with a pull secret.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what means internally / externally in this context?


To handle this the internal use case, we would need
to have a functionality
that can distinguish between access from internal or external networks.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think adding the complexity of networking here makes the proposal bigger than it needs to be.

For me it's about authorizing all authenticated identities to a project by default.

IMHO adding networking brings much complexity and risk with it.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would leave this out of scope of this proposal, maybe it can become an appendix in the documentation. For info, at CERN we have configured an allow-list with our internal subnets in the ingress.



### Robot Accounts in Context of Internal Project

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would say that robot accounts or another form of long lived token is needed.
CI pipelines and kubernetes clusters need credentials to access the internal repositories.
Although it's needed, I would say that this part can be even a dedicated proposal.
Either with a harbor deployment wide robot account or deployment wide personal access token scoped to be used for internal repositories only.

Robot accounts for access to projects inside the organization aren't needed for pulling artifacts.


## Rationale

Looking at how Harbor is used in enterprise environments,