-
Notifications
You must be signed in to change notification settings - Fork 82
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Multiple Visibility Levels and enforcement Levels for Projects #242
base: main
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,89 @@ | ||
# Proposal: Multiple Visibility Levels and Control | ||
|
||
Author: [Vadim Bauer](https://github.com/Vad1mo) - [8gears Container Registry](https://container-registry.com/) | ||
Created time: 11 June 2024 | ||
Last updated: | ||
|
||
## Abstract | ||
|
||
This proposal extends Harbor with additional project visibility and permission levels, and upgrades the current public/private project visibility and access levels. | ||
|
||
Once this proposal is implemented, additional uses will become possible, which will be outlined in the proposal. | ||
|
||
Furthermore, it also removes confusion about the consequences of the current visibility of public-private projects. | ||
|
||
## Background | ||
|
||
Currently, only two visibility options for projects exist. | ||
Public and private projects are too limited and unsuitable for many use cases where Harbor is used in organizations. | ||
This is also reflected in many issues and feature requests from the Harbor community. | ||
|
||
Harbor has a wide popularity and recognition for its proxy and replication capabilities. | ||
With this proposal, we can leverage the existing features and extend them to a wider audience and use cases. | ||
|
||
Here are some related issues from the Harbor Community. | ||
- https://github.com/goharbor/harbor/issues/10760 | ||
- https://github.com/goharbor/harbor/issues/12306 | ||
- https://github.com/goharbor/harbor/issues/5447 | ||
- https://github.com/goharbor/harbor/issues/12306 | ||
|
||
Similar Proposals: | ||
- https://github.com/goharbor/community/pull/124 | ||
|
||
|
||
## Proposal | ||
|
||
Extend the current public and private project visibility levels with additional options. | ||
|
||
- **Private (Existing)** | ||
Same behavior as the current private project visibility. | ||
Only users and groups | ||
that are explicitly added as members to the project to get access, | ||
based on their access level. | ||
- **Internal View Only** | ||
All authenticated (hence authenticated) | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. "hence authenticated", you mean authorized? |
||
users can view and pull artifacts from this project. | ||
But they are not allowed to pull any artifact from this project unless they are explicitly added as members to the project. | ||
Comment on lines
+45
to
+46
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Maybe a copy-pasta issue: In 44 you say "users can view and pull". Next line "But they are not allowed to pull". |
||
- **Internal** | ||
All authenticated users can view and pull artifacts from this project | ||
- **Public View Only** | ||
Unauthenticated Users without a Harbor account can view artifacts and artifacts in this project, | ||
but they cannot pull artifacts, without being authenticated. | ||
- **Public (Existing)** | ||
Same behavior as the current project visibility. Users don’t need to have an account to pull artifacts from this project. | ||
|
||
|
||
For reference, here are the visibility levels in GitLab for projects: | ||
![img.png](./images/multiple-project-visibility-levels/ref_gitlab_visibility.levels.png) | ||
|
||
|
||
### Project Level | ||
On the project level, the project owner can set the visibility level of the project. | ||
|
||
### System Level | ||
|
||
On the system level, the system admin can set the maximum visibility level for new projects. | ||
For example, If the maximum visibility level for new projects is set to "private", then newly created projects would have the visibility level "private" and the project admin would not be able to change it. | ||
|
||
A system admin can change the visibility level for projects regardless of the system-level setting. | ||
|
||
### Internal Project | ||
Internal projects are a bit special in terms of internal visibility accessibility. | ||
On the one hand, | ||
we want the internal projects | ||
to be visible and accessible inside the organization, but private to the outside. | ||
The same would apply to pulling artifacts, | ||
internally without a pull secret and externally just like a private project with a pull secret. | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. what means internally / externally in this context? |
||
|
||
To handle this the internal use case, we would need | ||
to have a functionality | ||
that can distinguish between access from internal or external networks. | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I think adding the complexity of networking here makes the proposal bigger than it needs to be. For me it's about authorizing all authenticated identities to a project by default. IMHO adding networking brings much complexity and risk with it. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I would leave this out of scope of this proposal, maybe it can become an appendix in the documentation. For info, at CERN we have configured an allow-list with our internal subnets in the ingress. |
||
|
||
|
||
### Robot Accounts in Context of Internal Project | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I would say that robot accounts or another form of long lived token is needed. |
||
Robot accounts for access to projects inside the organization aren't needed for pulling artifacts. | ||
|
||
|
||
## Rationale | ||
|
||
Looking at how Harbor is used in enterprise environments, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Generally, the document lacks of technical parts to let other maintainers know how to handle the newly introduced level?
And also, could you add persona? user story?