Merge pull request #5228 from stonezdj/doc_ldap_group

Add document for manange role by LDAP group(master)
This commit is contained in:
Daniel Jiang 2018-09-10 09:51:27 +08:00 committed by GitHub
commit 03f9cafeaf
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 57 additions and 0 deletions

Binary file not shown.

After

Width:  |  Height:  |  Size: 169 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 99 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 234 KiB

View File

@ -0,0 +1,52 @@
## Introduction
This guide provides instructions to manage roles by LDAP/AD group. You can import an LDAP/AD group to Harbor and assign project roles to it. All LDAP/AD users in this LDAP/AD group have assigned roles.
## Prerequisite
1. Harbor's auth_mode is ldap_auth and **[basic LDAP configure paremters](https://github.com/vmware/harbor/blob/master/docs/installation_guide.md#optional-parameters)** are configured.
1. Memberof overlay
This feature requires the LDAP/AD server enabled the feature **memberof overlay**.
With this feature, the LDAP/AD user entity's attribute **memberof** is updated when the group entity's **member** attribute is updated. For example, adding or removing an LDAP/AD user from the LDAP/AD group.
* OpenLDAP -- Refer this **[guide](https://technicalnotes.wordpress.com/2014/04/19/openldap-setup-with-memberof-overlay/)** to enable and verify **memberof overlay**
* Active Directory -- this feature is enabled by default.
## Configure LDAP group settings
Besides **[basic LDAP configure paremters](https://github.com/vmware/harbor/blob/master/docs/installation_guide.md#optional-parameters)** , LDAP group related configure parameters should be configured, they can be configured before or after installation
1. Configure parameters in harbor.cfg before installation
* ldap_group_basedn -- The base DN from which to lookup a group in LDAP/AD, for example: ou=groups,dc=example,dc=com
* ldap_group_filter -- The filter to search LDAP/AD group, for example: objectclass=groupOfNames
* ldap_group_gid -- The attribute used to name an LDAP/AD group, for example: cn
* ldap_group_scope -- The scope to search for LDAP/AD groups. 0-LDAP_SCOPE_BASE, 1-LDAP_SCOPE_ONELEVEL, 2-LDAP_SCOPE_SUBTREE
2. Or Change configure parameter in web console after installation. Go to "Administration" -> "Configuration" -> "Authentication" and change following settings.
- LDAP Group Base DN -- ldap_group_basedn in harbor.cfg
- LDAP Group Filter -- ldap_group_filter in harbor.cfg
- LDAP Group GID -- ldap_group_gid in harbor.cfg
- LDAP Group Scope -- ldap_group_scope in harbor.cfg
- LDAP Groups With Admin Privilege -- Specify an LDAP/AD group DN, all LDAPA/AD users in this group have harbor admin privileges.
![Screenshot of LDAP group config](img/group/ldap_group_config.png)
## Assign project role to LDAP/AD group
In "Project" -> "Members" -> "+ GROUP".
![Screenshot of add group](img/group/ldap_group_addgroup.png)
You can "Add an existing user group to project member" or "Add a group from LDAP to project member".
![Screenshot of add group dialog](img/group/ldap_group_addgroup_dialog.png)
Once an LDAP group is assigned a project role, log in with an LDAP/AD user in this group, the user should have the privilege of its group role.
If a user is in the LDAP groups with admin privilege (ldap_group_admin_dn), the user should have the same privileges with Harbor admin.
## User privileges and group privileges
If a user has both user-level role and group-level role, only the user level role privileges will be considered.

View File

@ -16,6 +16,7 @@ This guide walks you through the fundamentals of using Harbor. You'll learn how
* [Manage self-registration.](#managing-self-registration) * [Manage self-registration.](#managing-self-registration)
* [Manage email settings.](#managing-email-settings) * [Manage email settings.](#managing-email-settings)
* [Manage registry read only.](#managing-registry-read-only) * [Manage registry read only.](#managing-registry-read-only)
* [Manage role by LDAP group.](#managing-role-by-ldap-group)
* [Pull and push images using Docker client.](#pulling-and-pushing-images-using-docker-client) * [Pull and push images using Docker client.](#pulling-and-pushing-images-using-docker-client)
* [Add description to repositories](#add-description-to-repositories) * [Add description to repositories](#add-description-to-repositories)
* [Delete repositories and images.](#deleting-repositories) * [Delete repositories and images.](#deleting-repositories)
@ -235,12 +236,16 @@ You can change Harbor's registry read only settings, read only mode will allow '
If it set to true, deleting repository, tag and pushing image will be disabled. If it set to true, deleting repository, tag and pushing image will be disabled.
![browse project](img/read_only_enable.png) ![browse project](img/read_only_enable.png)
``` ```
$ docker push 10.117.169.182/demo/ubuntu:14.04 $ docker push 10.117.169.182/demo/ubuntu:14.04
The push refers to a repository [10.117.169.182/demo/ubuntu] The push refers to a repository [10.117.169.182/demo/ubuntu]
0271b8eebde3: Preparing 0271b8eebde3: Preparing
denied: The system is in read only mode. Any modification is prohibited. denied: The system is in read only mode. Any modification is prohibited.
``` ```
### Managing role by LDAP group
If auth_mode is ldap_auth, you can manage project role by LDAP/AD group. please refer [manage role by ldap group guide](manage_role_by_ldap_group.md).
## Pulling and pushing images using Docker client ## Pulling and pushing images using Docker client