From 24c48af3058ebd3677b152d39941f79497ec4653 Mon Sep 17 00:00:00 2001 From: Stuart Clements Date: Thu, 17 Oct 2019 19:00:00 +0200 Subject: [PATCH] Lots more reorg --- docs/harbor-doc-reorg/_index.md | 17 ++- .../harbor-doc-reorg/administration/_index.md | 3 + .../administration/administrator_options.md | 61 ----------- .../configure_project_settings/_index.md | 6 ++ .../set_project_quotas.md} | 2 +- .../create_replication_endpoints.md | 7 +- .../_index.md} | 6 +- .../managing_users/configure_rbac.md | 79 +------------- .../vulnerability_scanning/_index.md | 22 ++++ .../import_vulnerability_data.md | 2 +- .../vulnerability_scanning/scan_all_images.md | 9 ++ .../scan_individual_image.md | 32 ++++++ .../vulnerability_scanning/schedule_scans.md | 8 ++ .../vulnerability_scanning_clair.md | 68 ------------ .../install_config/configuration/_index.md | 3 +- .../configuration/configure_authentication.md | 100 ++++++++++++++++++ .../configure_notary_content_trust.md} | 2 +- .../configuration/general_settings.md | 24 +++++ .../configuration/initial_config_ui.md | 5 + .../working_with_projects/user_guide.md | 38 ------- 20 files changed, 238 insertions(+), 256 deletions(-) delete mode 100644 docs/harbor-doc-reorg/administration/administrator_options.md create mode 100644 docs/harbor-doc-reorg/administration/configure_project_settings/_index.md rename docs/harbor-doc-reorg/administration/{setting_project_quotas.md => configure_project_settings/set_project_quotas.md} (99%) rename docs/harbor-doc-reorg/administration/{garbage_collection.md => garbage_collection/_index.md} (94%) create mode 100644 docs/harbor-doc-reorg/administration/vulnerability_scanning/_index.md rename docs/harbor-doc-reorg/administration/{ => vulnerability_scanning}/import_vulnerability_data.md (98%) create mode 100644 docs/harbor-doc-reorg/administration/vulnerability_scanning/scan_all_images.md create mode 100644 docs/harbor-doc-reorg/administration/vulnerability_scanning/scan_individual_image.md create mode 100644 docs/harbor-doc-reorg/administration/vulnerability_scanning/schedule_scans.md delete mode 100644 docs/harbor-doc-reorg/administration/vulnerability_scanning_clair.md create mode 100644 docs/harbor-doc-reorg/install_config/configuration/configure_authentication.md rename docs/harbor-doc-reorg/{working_with_projects/use_notary.md => install_config/configuration/configure_notary_content_trust.md} (97%) create mode 100644 docs/harbor-doc-reorg/install_config/configuration/general_settings.md create mode 100644 docs/harbor-doc-reorg/install_config/configuration/initial_config_ui.md delete mode 100644 docs/harbor-doc-reorg/working_with_projects/user_guide.md diff --git a/docs/harbor-doc-reorg/_index.md b/docs/harbor-doc-reorg/_index.md index 243c88c74..8f0f92544 100644 --- a/docs/harbor-doc-reorg/_index.md +++ b/docs/harbor-doc-reorg/_index.md @@ -13,14 +13,17 @@ This section describes how to install Harbor and perform the required initial co - [Run the Installer Script](install_config/installation/run_installer_script.md) - [Troubleshooting Harbor Installation ](install_config/installation/troubleshoot_installation.md) - - You can also use Helm to install Harbor on a Kubernetes cluster, to make it highly available. For information about installing Harbor with Helm on a Kubernetes cluster, see the [Harbor High Availability Guide](https://github.com/goharbor/harbor-helm/blob/master/docs/High%20Availability.md) in the https://github.com/goharbor/harbor-helm repository. - [Configuring Harbor](install_config/configuration/_index.md) - [Reconfigure Harbor and Manage the Harbor Lifecycle](install_config/configuration/reconfigure_manage_lifecycle.md) - [Configure HTTPS Access to Harbor](install_config/configuration/configure_https.md) - [Customize the Harbor Token Service](install_config/configuration/customize_token_service.md) + - [Configure Notary Content Trust](install_config/configuration/configure_notary_content_trust.md) - [Access Harbor Logs](install_config/configuration/access_logs.md) - +- [Initial Configuration in the Harbor UI](install_config/configuration/initial_config_ui.md) + - [Configure Authentication](configure_authentication.md) + - [Other General Settings](general_settings.md) + +You can also use Helm to install Harbor on a Kubernetes cluster, to make it highly available. For information about installing Harbor with Helm on a Kubernetes cluster, see the [Harbor High Availability Guide](https://github.com/goharbor/harbor-helm/blob/master/docs/High%20Availability.md) in the https://github.com/goharbor/harbor-helm repository. ## Harbor Administration @@ -31,10 +34,18 @@ This section describes how to use and maintain Harbor after deployment. These da - [User Permissions By Role](administration/managing_users/user_permissions_by_role.md) - [Configure Harbor User Settings at the Command Line](administration/managing_users/configure_user_settings_cli.md) - [Manage Roles by LDAP Group](administration/managing_users/manage_role_by_ldap_group.md) +- [Configure Project Settings](administration/configure_project_settings/_index.md) + - [Set Project Quotas](administration/configure_project_settings/set_project_quotas.md) - [Configuring Replication](administration/configuring_replication/_index.md) - [Create Replication Endpoints](administration/configuring_replication/create_replication_endpoints.md) - [Create Replication Rules](administration/configuring_replication/create_replication_rules.md) - [Manage Replications](administration/configuring_replication/manage_replications.md) +- [Vulnerability Scanning with Clair](administration/vulnerability_scanning/_index.md) + - [Scan an Individual Image](scan_individual_image.md) + - [Scan All Images](scan_all_images.md) + - [Schedule Scans](schedule_scans.md) + - [Import Vulnerability Data to an Offline Harbor instance](import_vulnerability_data.md) +- [Garbage Collection](administration/garbage_collection/_index.md) - [Upgrading Harbor](administration/upgrade/_index.md) - [Upgrade Harbor and Migrate Data](administration/upgrade/upgrade_migrate_data.md) - [Roll Back an Upgrade](administration/upgrade/roll_back_upgrade.md) diff --git a/docs/harbor-doc-reorg/administration/_index.md b/docs/harbor-doc-reorg/administration/_index.md index 97bcfaf5c..6d3f1947e 100644 --- a/docs/harbor-doc-reorg/administration/_index.md +++ b/docs/harbor-doc-reorg/administration/_index.md @@ -1,5 +1,8 @@ # Harbor Administration - [Managing Users](managing_users/_index.md) +- [Configure Project Settings](configure_project_settings/_index.md) - [Configuring Replication](configuring_replication/_index.md) +- [Vulnerability Scanning with Clair](vulnerability_scanning/_index.md) +- [Garbage Collection](garbage_collection/_index.md) - [Upgrading Harbor](upgrade/_index.md) \ No newline at end of file diff --git a/docs/harbor-doc-reorg/administration/administrator_options.md b/docs/harbor-doc-reorg/administration/administrator_options.md deleted file mode 100644 index abfba1078..000000000 --- a/docs/harbor-doc-reorg/administration/administrator_options.md +++ /dev/null @@ -1,61 +0,0 @@ -# Administrator options - - -### Managing registry -You can list, add, edit and delete registries under `Administration->Registries`. Only registries which are not referenced by any rules can be deleted. - -![browse project](../img/manage_registry.png) - -### Managing replication - - -### Managing authentication -You can change authentication mode between **Database**(default) and **LDAP** before any user is added, when there is at least one user(besides admin) in Harbor, you cannot change the authentication mode. -![browse project](../img/new_auth.png) -When using LDAP mode, user's self-registration is disabled. The parameters of LDAP server must be filled in. For more information, refer to [User account](#user-account). -![browse project](../img/ldap_auth.png) - -When using OIDC mode, user will login Harbor via OIDC based SSO. A client has to be registered on the OIDC provider and Harbor's callback URI needs to be associated to that client as a redirectURI. -![OIDC settings](../img/oidc_auth_setting.png) - -The settings of this auth mode: -* OIDC Provider Name: The name of the OIDC Provider. -* OIDC Provider Endpoint: The URL of the endpoint of the OIDC provider(a.k.a the Authorization Server in OAuth's terminology), -which must service the "well-known" URI for its configuration, more details please refer to https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationRequest -* OIDC Client ID: The ID of client configured on OIDC Provider. -* OIDC Client Secret: The secret for this client. -* OIDC Scope: The scope values to be used during the authentication. It is the comma separated string, which must contain `openid`. -Normally it should also contain `profile` and `email`. For getting the refresh token it should also contain `offline_access`. Please check with the administrator of the OIDC Provider. -* Verify Certificate: Whether to check the certificate when accessing the OIDC Provider. if you are running the OIDC Provider with self-signed -certificate, make sure this value is set to false. - - -### Managing project creation -Use the **Project Creation** drop-down menu to set which users can create projects. Select **Everyone** to allow all users to create projects. Select **Admin Only** to allow only users with the Administrator role to create projects. -![browse project](../img/new_proj_create.png) - -### Managing self-registration -You can manage whether a user can sign up for a new account. This option is not available if you use LDAP authentication. -![browse project](../img/new_self_reg.png) - -### Managing email settings -You can change Harbor's email settings, the mail server is used to send out responses to users who request to reset their password. -![browse project](../img/new_config_email.png) - -### Managing registry read only -You can change Harbor's registry read only settings, read only mode will allow 'docker pull' while preventing 'docker push' and the deletion of repository and tag. -![browse project](../img/read_only.png) - -If it set to true, deleting repository, tag and pushing image will be disabled. -![browse project](../img/read_only_enable.png) - - -``` -$ docker push 10.117.169.182/demo/ubuntu:14.04 -The push refers to a repository [10.117.169.182/demo/ubuntu] -0271b8eebde3: Preparing -denied: The system is in read only mode. Any modification is prohibited. -``` -### Managing role by LDAP group - -If auth_mode is ldap_auth, you can manage project role by LDAP/AD group. please refer [manage role by ldap group guide](manage_role_by_ldap_group.md). \ No newline at end of file diff --git a/docs/harbor-doc-reorg/administration/configure_project_settings/_index.md b/docs/harbor-doc-reorg/administration/configure_project_settings/_index.md new file mode 100644 index 000000000..b80e6d90f --- /dev/null +++ b/docs/harbor-doc-reorg/administration/configure_project_settings/_index.md @@ -0,0 +1,6 @@ +# Configure Project Settings + +Use the **Project Creation** drop-down menu to set which users can create projects. Select **Everyone** to allow all users to create projects. Select **Admin Only** to allow only users with the Administrator role to create projects. +![browse project](../img/new_proj_create.png) + +[Set Project Quotas](set_project_quotas.md) diff --git a/docs/harbor-doc-reorg/administration/setting_project_quotas.md b/docs/harbor-doc-reorg/administration/configure_project_settings/set_project_quotas.md similarity index 99% rename from docs/harbor-doc-reorg/administration/setting_project_quotas.md rename to docs/harbor-doc-reorg/administration/configure_project_settings/set_project_quotas.md index 9495bbd82..77d609d7c 100644 --- a/docs/harbor-doc-reorg/administration/setting_project_quotas.md +++ b/docs/harbor-doc-reorg/administration/configure_project_settings/set_project_quotas.md @@ -1,4 +1,4 @@ -# Setting Project Quotas +# Set Project Quotas To exercise control over resource use, as a system administrator you can set quotas on projects. You can limit the number of tags that a project can contain and limit the amount of storage capacity that a project can consume. You can set default quotas that apply to all projects globally. diff --git a/docs/harbor-doc-reorg/administration/configuring_replication/create_replication_endpoints.md b/docs/harbor-doc-reorg/administration/configuring_replication/create_replication_endpoints.md index dd4622cfe..824a958e5 100644 --- a/docs/harbor-doc-reorg/administration/configuring_replication/create_replication_endpoints.md +++ b/docs/harbor-doc-reorg/administration/configuring_replication/create_replication_endpoints.md @@ -35,4 +35,9 @@ To replicate image repositories from one instance of Harbor to another Harbor or Deselect the check box if the remote registry uses a self-signed or untrusted certificate. 1. Click **Test Connection**. -1. When you have successfully tested the connection, click **OK**. \ No newline at end of file +1. When you have successfully tested the connection, click **OK**. + +## Managing Registries +You can list, add, edit and delete registries under `Administration->Registries`. Only registries which are not referenced by any rules can be deleted. + +![browse project](../img/manage_registry.png) \ No newline at end of file diff --git a/docs/harbor-doc-reorg/administration/garbage_collection.md b/docs/harbor-doc-reorg/administration/garbage_collection/_index.md similarity index 94% rename from docs/harbor-doc-reorg/administration/garbage_collection.md rename to docs/harbor-doc-reorg/administration/garbage_collection/_index.md index 41cb05a59..051b095f6 100644 --- a/docs/harbor-doc-reorg/administration/garbage_collection.md +++ b/docs/harbor-doc-reorg/administration/garbage_collection/_index.md @@ -5,7 +5,7 @@ Online Garbage Collection enables user to trigger docker registry garbage collec For more information about Garbage Collection, please see [Garbage Collection](https://github.com/docker/docker.github.io/blob/master/registry/garbage-collection.md). -### Setting up Garbage Collection +## Set up Garbage Collection If you are a system admin, you can trigger garbage collection by clicking "GC Now" in the **'Garbage Collection'** tab of **'Configuration'** section under **'Administration'**. ![browse project](../img/gc_now.png) @@ -14,14 +14,14 @@ If you are a system admin, you can trigger garbage collection by clicking "GC No To avoid frequently triggering the garbage collection process, the availability of the button is restricted. It can be only triggered once in one minute. ![browse project](../img/gc_now2.png) -**Scheduled Garbage Collection by Policy** +## Scheduled Garbage Collection by Policy * **None:** No policy is selected. * **Daily:** Policy is activated daily. It means an analysis job is scheduled to be executed at the specified time everyday. The scheduled job will do garbage collection in Harbor. * **Weekly:** Policy is activated weekly. It means an analysis job is scheduled to be executed at the specified time every week. The scheduled job will do garbage collection in Harbor. Once the policy has been configured, you have the option to save the schedule. ![browse project](../img/gc_policy.png) -### Garbage Collection history +## Garbage Collection history If you are a system admin, you can view the latest 10 records of garbage collection execution. ![browse project](../img/gc_history.png) diff --git a/docs/harbor-doc-reorg/administration/managing_users/configure_rbac.md b/docs/harbor-doc-reorg/administration/managing_users/configure_rbac.md index 825ad05ad..f4b19bb91 100644 --- a/docs/harbor-doc-reorg/administration/managing_users/configure_rbac.md +++ b/docs/harbor-doc-reorg/administration/managing_users/configure_rbac.md @@ -19,81 +19,4 @@ For full details of the permissions of the different roles, see [User Permission ## Managing user Administrator can add "Administrator" role to one or more ordinary users by checking checkboxes and clicking `SET AS ADMINISTRATOR`. To delete users, checked checkboxes and select `DELETE`. Deleting user is only supported under database authentication mode. -![browse project](../img/new_set_admin_remove_user.png) - -## User account -Harbor supports different authentication modes: - -* **Database(db_auth)** - - Users are stored in the local database. - - A user can register himself/herself in Harbor in this mode. To disable user self-registration, refer to the [installation guide](installation_guide.md) for initial configuration, or disable this feature in [Administrator Options](#administrator-options). When self-registration is disabled, the system administrator can add users into Harbor. - - When registering or adding a new user, the username and email must be unique in the Harbor system. The password must contain at least 8 characters with 1 lowercase letter, 1 uppercase letter and 1 numeric character. - - When you forgot your password, you can follow the below steps to reset the password: - - 1. Click the link "Forgot Password" in the sign in page. - 2. Input the email address entered when you signed up, an email will be sent out to you for password reset. - 3. After receiving the email, click on the link in the email which directs you to a password reset web page. - 4. Input your new password and click "Save". - -* **LDAP/Active Directory (ldap_auth)** - - Under this authentication mode, users whose credentials are stored in an external LDAP or AD server can log in to Harbor directly. - - When an LDAP/AD user logs in by *username* and *password*, Harbor binds to the LDAP/AD server with the **"LDAP Search DN"** and **"LDAP Search Password"** described in [installation guide](installation_guide.md). If it succeeded, Harbor looks up the user under the LDAP entry **"LDAP Base DN"** including substree. The attribute (such as uid, cn) specified by **"LDAP UID"** is used to match a user with the *username*. If a match is found, the user's *password* is verified by a bind request to the LDAP/AD server. Uncheck **"LDAP Verify Cert"** if the LDAP/AD server uses a self-signed or an untrusted certificate. - - Self-registration, deleting user, changing password and resetting password are not supported under LDAP/AD authentication mode because the users are managed by LDAP or AD. - -* **OIDC Provider (oidc_auth)** - - With this authentication mode, regular user will login to Harbor Portal via SSO flow. - After the system administrator configure Harbor to authenticate via OIDC (more details refer to [this section](#managing-authentication)), - a button `LOGIN VIA OIDC PROVIDER` will appear on the login page. - ![oidc_login](../img/oidc_login.png) - - By clicking this button user will kick off the SSO flow and be redirected to the OIDC Provider for authentication. After a successful - authentication at the remote site, user will be redirected to Harbor. There will be an "onboard" step if it's the first time the user - authenticate using his account, in which there will be a dialog popped up for him to set his user name in Harbor: - ![oidc_onboar](../img/oidc_onboard_dlg.png) - - This user name will be the identifier for this user in Harbor, which will be used in the cases such as adding member to a project, assigning roles, etc. - This has to be a unique user name, if another user has used this user name to onboard, user will be prompted to choose another one. - - Regarding this user to use docker CLI, please refer to [Using CLI after login via OIDC based SSO](#using-oidc-cli-secret) - - **NOTE:** - 1. After the onboard process, you still have to login to Harbor via SSO flow, the `Username` and `Password` fields are only for - local admin to login when Harbor is configured authentication via OIDC. - 2. Similar to LDAP authentication mode, self-registration, updating profile, deleting user, changing password and - resetting password are not supported. - -## Using OIDC CLI secret - -Having authenticated via OIDC SSO and onboarded to Harbor, you can use Docker/Helm CLI to access Harbor to read/write the artifacts. -As the CLI cannot handle redirection for SSO, we introduced `CLI secret`, which is only available when Harbor's authentication mode -is configured to OIDC based. -After logging into Harbor, click the drop down list to view user's profile: -![user_profile](../img/user_profile.png) - -You can copy your CLI secret via the dialog of profile: -![profile_dlg](../img/profile_dlg.png) - -After that you can authenticate using your user name in Harbor that you set during onboard process, and CLI secret as the password -with Docker/Helm CLI, for example: -```sh -docker login -u testuser -p xxxxxx jt-test.local.goharbor.io - -``` - -When you click the "..." icon in the profile dialog, a button for generating new CLI secret will appear, and you can generate a new -CLI secret by clicking this button. Please be reminded one user can only have one CLI secret, so when a new secret is generated, the -old one becomes invalid at once. - -**NOTE**: -Under the hood the CLI secret is associated with the ID token, and Harbor will try to refresh the token, so the CLI secret will -be valid after th ID token expires. However, if the OIDC Provider does not provide refresh token or the refresh fails for some -reason, the CLI secret will become invalid. In that case you can logout and login Harbor via SSO flow again so Harbor can get a -new ID token and the CLI secret will work again. +![browse project](../img/new_set_admin_remove_user.png) \ No newline at end of file diff --git a/docs/harbor-doc-reorg/administration/vulnerability_scanning/_index.md b/docs/harbor-doc-reorg/administration/vulnerability_scanning/_index.md new file mode 100644 index 000000000..bc2e7e49d --- /dev/null +++ b/docs/harbor-doc-reorg/administration/vulnerability_scanning/_index.md @@ -0,0 +1,22 @@ +# Vulnerability Scanning with Clair + +**CAUTION: Clair is an optional component, please make sure you have already installed it in your Harbor instance before you go through this section.** + +Static analysis of vulnerabilities is provided through open source project [Clair](https://github.com/coreos/clair). You can initiate scanning on a particular image, or on all images in Harbor. Additionally, you can also set a policy to scan all the images at a specified time everyday. + +- [Scan an Individual Image](scan_individual_image.md) +- [Scan All Images](scan_all_images.md) +- [Schedule Scans](schedule_scans.md) + +**Vulnerability metadata** + +Clair depends on the vulnerability metadata to complete the analysis process. After the first initial installation, Clair will automatically start to update the metadata database from different vulnerability repositories. The updating process may take a while based on the data size and network connection. If the database has not been fully populated, there is a warning message at the footer of the repository datagrid view. +![browse project](../img/clair_not_ready.png) + +The 'database not fully ready' warning message is also displayed in the **'Vulnerability'** tab of **'Configuration'** section under **'Administration'** for your awareness. +![browse project](../img/clair_not_ready2.png) + +Once the database is ready, an overall database updated timestamp will be shown in the **'Vulnerability'** tab of **'Configuration'** section under **'Administration'**. +![browse project](../img/clair_ready.png) + +If your Harbor instance is not connected to the external internet, you must manually update the vulnerability metadata. For information about how to update Clair manually, see [Import Vulnerability Data to an Offline Harbor instance](import_vulnerability_data.md). \ No newline at end of file diff --git a/docs/harbor-doc-reorg/administration/import_vulnerability_data.md b/docs/harbor-doc-reorg/administration/vulnerability_scanning/import_vulnerability_data.md similarity index 98% rename from docs/harbor-doc-reorg/administration/import_vulnerability_data.md rename to docs/harbor-doc-reorg/administration/vulnerability_scanning/import_vulnerability_data.md index 797ad11da..736b97b61 100644 --- a/docs/harbor-doc-reorg/administration/import_vulnerability_data.md +++ b/docs/harbor-doc-reorg/administration/vulnerability_scanning/import_vulnerability_data.md @@ -1,4 +1,4 @@ -## Update an offline Harbor instance with new vulnerability data +# Import Vulnerability Data to an Offline Harbor instance Harbor has integrated with Clair to scan vulnerabilities in images. When Harbor is installed in an environment without internet connection, Clair cannot fetch data from the public vulnerability database. Under this circumstance, Harbor administrator needs to manually update the Clair database. diff --git a/docs/harbor-doc-reorg/administration/vulnerability_scanning/scan_all_images.md b/docs/harbor-doc-reorg/administration/vulnerability_scanning/scan_all_images.md new file mode 100644 index 000000000..5ef04c9be --- /dev/null +++ b/docs/harbor-doc-reorg/administration/vulnerability_scanning/scan_all_images.md @@ -0,0 +1,9 @@ +# Scan All Images + +In the **'Vulnerability'** tab of **'Configuration'** section under **'Administration'**, click on the **'SCAN NOW'** button to start the analysis process for all the existing images. + +**NOTES: The scanning process is executed via multiple concurrent asynchronous tasks. There is no guarantee on the order of scanning or the returned results.** +![browse project](../img/scan_all.png) + +To avoid frequently triggering the resource intensive scanning process, the availability of the button is restricted. It can be only triggered once in a predefined period. The next available time will be displayed besides the button. +![browse project](../img/scan_all2.png) \ No newline at end of file diff --git a/docs/harbor-doc-reorg/administration/vulnerability_scanning/scan_individual_image.md b/docs/harbor-doc-reorg/administration/vulnerability_scanning/scan_individual_image.md new file mode 100644 index 000000000..135c29143 --- /dev/null +++ b/docs/harbor-doc-reorg/administration/vulnerability_scanning/scan_individual_image.md @@ -0,0 +1,32 @@ +# Scan an Individual Image + +Enter your project, select the repository. For each tag there will be an 'Vulnerability' column to display vulnerability scanning status and related information. You can select the image and click the "SCAN" button to trigger the vulnerability scan process. +![browse project](../img/scan_image.png) +**NOTES: Only the users with 'Project Admin' role have the privilege to launch the analysis process.** + +The analysis process may have the following status that are indicated in the 'Vulnerability' column: +* **Not Scanned:** The tag has never been scanned. +* **Queued:** The scanning task is scheduled but not executed yet. +* **Scanning:** The scanning process is in progress. +* **Error:** The scanning process failed to complete. +* **Complete:** The scanning process was successfully completed. + +For the **'Not Scanned'** and **'Queued'** statuses, a text label with status information is shown. For the **'Scanning'**, a progress bar will be displayed. +If an error occurred, you can click on the **'View Log'** link to view the related logs. +![browse project](../img/log_viewer.png) + +If the process was successfully completed, a result bar is created. The width of the different colored sections indicates the percentage of features with vulnerabilities for a particular severity level. +* **Red:** **High** level of vulnerabilities +* **Orange:** **Medium** level of vulnerabilities +* **Yellow:** **Low** level of vulnerabilities +* **Grey:** **Unknown** level of vulnerabilities +* **Green:** **No** vulnerabilities +![browse project](../img/bar_chart.png) + +Move the cursor over the bar, a tooltip with summary report will be displayed. Besides showing the total number of features with vulnerabilities and the total number of features in the scanned image tag, the report also lists the counts of features with vulnerabilities of different severity levels. The completion time of the last analysis process is shown at the bottom of the tooltip. +![browse project](../img/summary_tooltip.png) + +Click on the tag name link, the detail page will be opened. Besides the information about the tag, all the vulnerabilities found in the last analysis process will be listed with the related information. You can order or filter the list by columns. +![browse project](../img/tag_detail.png) + +**NOTES: You can initiate the vulnerability analysis for a tag at anytime you want as long as the status is not 'Queued' or 'Scanning'.** \ No newline at end of file diff --git a/docs/harbor-doc-reorg/administration/vulnerability_scanning/schedule_scans.md b/docs/harbor-doc-reorg/administration/vulnerability_scanning/schedule_scans.md new file mode 100644 index 000000000..ea6a004ce --- /dev/null +++ b/docs/harbor-doc-reorg/administration/vulnerability_scanning/schedule_scans.md @@ -0,0 +1,8 @@ +# Schedule Scans + +You can set policies to control the vulnerability analysis process. Currently, two options are available: +* **None:** No policy is selected. +* **Daily:** Policy is activated daily. It means an analysis job is scheduled to be executed at the specified time everyday. The scheduled job will scan all the images in Harbor. +![browse project](../img/scan_policy.png) + +**NOTES: Once the scheduled job is executed, the completion time of scanning all images will be updated accordingly. Please be aware that the completion time of the images may be different because the execution of analysis for each image may be carried out at different time.** diff --git a/docs/harbor-doc-reorg/administration/vulnerability_scanning_clair.md b/docs/harbor-doc-reorg/administration/vulnerability_scanning_clair.md deleted file mode 100644 index 68fcc49fb..000000000 --- a/docs/harbor-doc-reorg/administration/vulnerability_scanning_clair.md +++ /dev/null @@ -1,68 +0,0 @@ -# Vulnerability Scanning with Clair -**CAUTION: Clair is an optional component, please make sure you have already installed it in your Harbor instance before you go through this section.** - -Static analysis of vulnerabilities is provided through open source project [Clair](https://github.com/coreos/clair). You can initiate scanning on a particular image, or on all images in Harbor. Additionally, you can also set a policy to scan all the images at a specified time everyday. - -**Vulnerability metadata** - -Clair depends on the vulnerability metadata to complete the analysis process. After the first initial installation, Clair will automatically start to update the metadata database from different vulnerability repositories. The updating process may take a while based on the data size and network connection. If the database has not been fully populated, there is a warning message at the footer of the repository datagrid view. -![browse project](../img/clair_not_ready.png) - -The 'database not fully ready' warning message is also displayed in the **'Vulnerability'** tab of **'Configuration'** section under **'Administration'** for your awareness. -![browse project](../img/clair_not_ready2.png) - -Once the database is ready, an overall database updated timestamp will be shown in the **'Vulnerability'** tab of **'Configuration'** section under **'Administration'**. -![browse project](../img/clair_ready.png) - -**Scanning an image** - -Enter your project, select the repository. For each tag there will be an 'Vulnerability' column to display vulnerability scanning status and related information. You can select the image and click the "SCAN" button to trigger the vulnerability scan process. -![browse project](../img/scan_image.png) -**NOTES: Only the users with 'Project Admin' role have the privilege to launch the analysis process.** - -The analysis process may have the following status that are indicated in the 'Vulnerability' column: -* **Not Scanned:** The tag has never been scanned. -* **Queued:** The scanning task is scheduled but not executed yet. -* **Scanning:** The scanning process is in progress. -* **Error:** The scanning process failed to complete. -* **Complete:** The scanning process was successfully completed. - -For the **'Not Scanned'** and **'Queued'** statuses, a text label with status information is shown. For the **'Scanning'**, a progress bar will be displayed. -If an error occurred, you can click on the **'View Log'** link to view the related logs. -![browse project](../img/log_viewer.png) - -If the process was successfully completed, a result bar is created. The width of the different colored sections indicates the percentage of features with vulnerabilities for a particular severity level. -* **Red:** **High** level of vulnerabilities -* **Orange:** **Medium** level of vulnerabilities -* **Yellow:** **Low** level of vulnerabilities -* **Grey:** **Unknown** level of vulnerabilities -* **Green:** **No** vulnerabilities -![browse project](../img/bar_chart.png) - -Move the cursor over the bar, a tooltip with summary report will be displayed. Besides showing the total number of features with vulnerabilities and the total number of features in the scanned image tag, the report also lists the counts of features with vulnerabilities of different severity levels. The completion time of the last analysis process is shown at the bottom of the tooltip. -![browse project](../img/summary_tooltip.png) - -Click on the tag name link, the detail page will be opened. Besides the information about the tag, all the vulnerabilities found in the last analysis process will be listed with the related information. You can order or filter the list by columns. -![browse project](../img/tag_detail.png) - -**NOTES: You can initiate the vulnerability analysis for a tag at anytime you want as long as the status is not 'Queued' or 'Scanning'.** - -**Scanning all images** - -In the **'Vulnerability'** tab of **'Configuration'** section under **'Administration'**, click on the **'SCAN NOW'** button to start the analysis process for all the existing images. - -**NOTES: The scanning process is executed via multiple concurrent asynchronous tasks. There is no guarantee on the order of scanning or the returned results.** -![browse project](../img/scan_all.png) - -To avoid frequently triggering the resource intensive scanning process, the availability of the button is restricted. It can be only triggered once in a predefined period. The next available time will be displayed besides the button. -![browse project](../img/scan_all2.png) - -**Scheduled Scan by Policy** - -You can set policies to control the vulnerability analysis process. Currently, two options are available: -* **None:** No policy is selected. -* **Daily:** Policy is activated daily. It means an analysis job is scheduled to be executed at the specified time everyday. The scheduled job will scan all the images in Harbor. -![browse project](../img/scan_policy.png) - -**NOTES: Once the scheduled job is executed, the completion time of scanning all images will be updated accordingly. Please be aware that the completion time of the images may be different because the execution of analysis for each image may be carried out at different time.** - diff --git a/docs/harbor-doc-reorg/install_config/configuration/_index.md b/docs/harbor-doc-reorg/install_config/configuration/_index.md index 1db5dcf9b..b32b24f68 100644 --- a/docs/harbor-doc-reorg/install_config/configuration/_index.md +++ b/docs/harbor-doc-reorg/install_config/configuration/_index.md @@ -1,8 +1,9 @@ # Configuring Harbor -After you have deployed Harbor, you can perform certain post-deployment configuration operations. +After you have deployed Harbor, you must perform certain post-deployment configuration operations. - [Reconfigure Harbor and Manage the Harbor Lifecycle](reconfigure_manage_lifecycle.md) - [Configure HTTPS Access to Harbor](configure_https.md) - [Customize the Harbor Token Service](customize_token_service.md) - [Access Harbor Logs](access_logs.md) +- [Initial Configuration in the Harbor UI](initial_config_ui.md) diff --git a/docs/harbor-doc-reorg/install_config/configuration/configure_authentication.md b/docs/harbor-doc-reorg/install_config/configuration/configure_authentication.md new file mode 100644 index 000000000..eb09884a4 --- /dev/null +++ b/docs/harbor-doc-reorg/install_config/configuration/configure_authentication.md @@ -0,0 +1,100 @@ +# Configure Authentication + +You can change authentication mode between **Database**(default) and **LDAP** before any user is added, when there is at least one user(besides admin) in Harbor, you cannot change the authentication mode. +![browse project](../img/new_auth.png) +When using LDAP mode, user's self-registration is disabled. The parameters of LDAP server must be filled in. For more information, refer to [User account](#user-account). +![browse project](../img/ldap_auth.png) + +When using OIDC mode, user will login Harbor via OIDC based SSO. A client has to be registered on the OIDC provider and Harbor's callback URI needs to be associated to that client as a redirectURI. +![OIDC settings](../img/oidc_auth_setting.png) + +The settings of this auth mode: +* OIDC Provider Name: The name of the OIDC Provider. +* OIDC Provider Endpoint: The URL of the endpoint of the OIDC provider(a.k.a the Authorization Server in OAuth's terminology), +which must service the "well-known" URI for its configuration, more details please refer to https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationRequest +* OIDC Client ID: The ID of client configured on OIDC Provider. +* OIDC Client Secret: The secret for this client. +* OIDC Scope: The scope values to be used during the authentication. It is the comma separated string, which must contain `openid`. +Normally it should also contain `profile` and `email`. For getting the refresh token it should also contain `offline_access`. Please check with the administrator of the OIDC Provider. +* Verify Certificate: Whether to check the certificate when accessing the OIDC Provider. if you are running the OIDC Provider with self-signed +certificate, make sure this value is set to false. + +## User account +Harbor supports different authentication modes: + +* **Database(db_auth)** + + Users are stored in the local database. + + A user can register himself/herself in Harbor in this mode. To disable user self-registration, refer to the [installation guide](installation_guide.md) for initial configuration, or disable this feature in [Administrator Options](#administrator-options). When self-registration is disabled, the system administrator can add users into Harbor. + + When registering or adding a new user, the username and email must be unique in the Harbor system. The password must contain at least 8 characters with 1 lowercase letter, 1 uppercase letter and 1 numeric character. + + When you forgot your password, you can follow the below steps to reset the password: + + 1. Click the link "Forgot Password" in the sign in page. + 2. Input the email address entered when you signed up, an email will be sent out to you for password reset. + 3. After receiving the email, click on the link in the email which directs you to a password reset web page. + 4. Input your new password and click "Save". + +* **LDAP/Active Directory (ldap_auth)** + + Under this authentication mode, users whose credentials are stored in an external LDAP or AD server can log in to Harbor directly. + + When an LDAP/AD user logs in by *username* and *password*, Harbor binds to the LDAP/AD server with the **"LDAP Search DN"** and **"LDAP Search Password"** described in [installation guide](installation_guide.md). If it succeeded, Harbor looks up the user under the LDAP entry **"LDAP Base DN"** including substree. The attribute (such as uid, cn) specified by **"LDAP UID"** is used to match a user with the *username*. If a match is found, the user's *password* is verified by a bind request to the LDAP/AD server. Uncheck **"LDAP Verify Cert"** if the LDAP/AD server uses a self-signed or an untrusted certificate. + + Self-registration, deleting user, changing password and resetting password are not supported under LDAP/AD authentication mode because the users are managed by LDAP or AD. + +* **OIDC Provider (oidc_auth)** + + With this authentication mode, regular user will login to Harbor Portal via SSO flow. + After the system administrator configure Harbor to authenticate via OIDC (more details refer to [this section](#managing-authentication)), + a button `LOGIN VIA OIDC PROVIDER` will appear on the login page. + ![oidc_login](../img/oidc_login.png) + + By clicking this button user will kick off the SSO flow and be redirected to the OIDC Provider for authentication. After a successful + authentication at the remote site, user will be redirected to Harbor. There will be an "onboard" step if it's the first time the user + authenticate using his account, in which there will be a dialog popped up for him to set his user name in Harbor: + ![oidc_onboar](../img/oidc_onboard_dlg.png) + + This user name will be the identifier for this user in Harbor, which will be used in the cases such as adding member to a project, assigning roles, etc. + This has to be a unique user name, if another user has used this user name to onboard, user will be prompted to choose another one. + + Regarding this user to use docker CLI, please refer to [Using CLI after login via OIDC based SSO](#using-oidc-cli-secret) + + **NOTE:** + 1. After the onboard process, you still have to login to Harbor via SSO flow, the `Username` and `Password` fields are only for + local admin to login when Harbor is configured authentication via OIDC. + 2. Similar to LDAP authentication mode, self-registration, updating profile, deleting user, changing password and + resetting password are not supported. + +## Using OIDC CLI secret + +Having authenticated via OIDC SSO and onboarded to Harbor, you can use Docker/Helm CLI to access Harbor to read/write the artifacts. +As the CLI cannot handle redirection for SSO, we introduced `CLI secret`, which is only available when Harbor's authentication mode +is configured to OIDC based. +After logging into Harbor, click the drop down list to view user's profile: +![user_profile](../img/user_profile.png) + +You can copy your CLI secret via the dialog of profile: +![profile_dlg](../img/profile_dlg.png) + +After that you can authenticate using your user name in Harbor that you set during onboard process, and CLI secret as the password +with Docker/Helm CLI, for example: +```sh +docker login -u testuser -p xxxxxx jt-test.local.goharbor.io + +``` + +When you click the "..." icon in the profile dialog, a button for generating new CLI secret will appear, and you can generate a new +CLI secret by clicking this button. Please be reminded one user can only have one CLI secret, so when a new secret is generated, the +old one becomes invalid at once. + +**NOTE**: +Under the hood the CLI secret is associated with the ID token, and Harbor will try to refresh the token, so the CLI secret will +be valid after th ID token expires. However, if the OIDC Provider does not provide refresh token or the refresh fails for some +reason, the CLI secret will become invalid. In that case you can logout and login Harbor via SSO flow again so Harbor can get a +new ID token and the CLI secret will work again. +Title + +Text diff --git a/docs/harbor-doc-reorg/working_with_projects/use_notary.md b/docs/harbor-doc-reorg/install_config/configuration/configure_notary_content_trust.md similarity index 97% rename from docs/harbor-doc-reorg/working_with_projects/use_notary.md rename to docs/harbor-doc-reorg/install_config/configuration/configure_notary_content_trust.md index a7030aa0e..727ab14a0 100644 --- a/docs/harbor-doc-reorg/working_with_projects/use_notary.md +++ b/docs/harbor-doc-reorg/install_config/configuration/configure_notary_content_trust.md @@ -1,4 +1,4 @@ -### Setup +# Configure Notary Content Trust In harbor.yml, make sure https is enabled, and the attributes `ssl_cert` and `ssl_cert_key` are pointed to valid certificates. For more information about generating https certificate please refer to: [Configuring HTTPS for Harbor](configure_https.md) diff --git a/docs/harbor-doc-reorg/install_config/configuration/general_settings.md b/docs/harbor-doc-reorg/install_config/configuration/general_settings.md new file mode 100644 index 000000000..ae9dcdbe4 --- /dev/null +++ b/docs/harbor-doc-reorg/install_config/configuration/general_settings.md @@ -0,0 +1,24 @@ +# Other General Settings + +## Managing self-registration +You can manage whether a user can sign up for a new account. This option is not available if you use LDAP authentication. +![browse project](../img/new_self_reg.png) + +## Managing email settings +You can change Harbor's email settings, the mail server is used to send out responses to users who request to reset their password. +![browse project](../img/new_config_email.png) + +## Managing registry read only +You can change Harbor's registry read only settings, read only mode will allow 'docker pull' while preventing 'docker push' and the deletion of repository and tag. +![browse project](../img/read_only.png) + +If it set to true, deleting repository, tag and pushing image will be disabled. +![browse project](../img/read_only_enable.png) + + +``` +$ docker push 10.117.169.182/demo/ubuntu:14.04 +The push refers to a repository [10.117.169.182/demo/ubuntu] +0271b8eebde3: Preparing +denied: The system is in read only mode. Any modification is prohibited. +``` \ No newline at end of file diff --git a/docs/harbor-doc-reorg/install_config/configuration/initial_config_ui.md b/docs/harbor-doc-reorg/install_config/configuration/initial_config_ui.md new file mode 100644 index 000000000..1a736aa35 --- /dev/null +++ b/docs/harbor-doc-reorg/install_config/configuration/initial_config_ui.md @@ -0,0 +1,5 @@ +# Initial Configuration in the Harbor UI + +- [Configure Authentication](configure_authentication.md) +- [Other General Settings](general_settings.md) + diff --git a/docs/harbor-doc-reorg/working_with_projects/user_guide.md b/docs/harbor-doc-reorg/working_with_projects/user_guide.md deleted file mode 100644 index 3859ad424..000000000 --- a/docs/harbor-doc-reorg/working_with_projects/user_guide.md +++ /dev/null @@ -1,38 +0,0 @@ -# User Guide -## Overview -This guide walks you through the fundamentals of using Harbor. You'll learn how to use Harbor to: - -* [Manage your projects](#managing-projects) -* [Manage members of a project](#managing-members-of-a-project) -* [Replicate resources between Harbor and non-Harbor registries](#replicating-resources) -* [Retag images within Harbor](#retag-images) -* [Search projects and repositories](#searching-projects-and-repositories) -* [Manage labels](#managing-labels) -* [Configure CVE Whitelists](#configure-cve-whitelists) -* [Set Project Quotas](#set-project-quotas) -* [Manage Harbor system if you are the system administrator:](#administrator-options) - * [Manage users](#managing-user) - * [Manage registries](#managing-registry) - * [Manage replication rules](#managing-replication) - * [Manage authentication](#managing-authentication) - * [Manage project creation](#managing-project-creation) - * [Manage self-registration](#managing-self-registration) - * [Manage email settings](#managing-email-settings) - * [Manage registry read only](#managing-registry-read-only) - * [Manage role by LDAP group](#managing-role-by-ldap-group) -* [Pull and push images using Docker client](#pulling-and-pushing-images-using-docker-client) -* [Add description to repositories](#add-description-to-repositories) -* [Delete repositories and images](#deleting-repositories) -* [Content trust](#content-trust) -* [Vulnerability scanning via Clair](#vulnerability-scanning-via-clair) -* [Pull image from Harbor in Kubernetes](#pull-image-from-harbor-in-kubernetes) -* [Manage Helm Charts](#manage-helm-charts) - * [Manage Helm Charts via portal](#manage-helm-charts-via-portal) - * [Working with Helm CLI](#working-with-helm-cli) -* [Online Garbage Collection](#online-garbage-collection) -* [View build history](#build-history) -* [Using CLI after login via OIDC based SSO](#using-oidc-cli-secret) -* [Manage robot account of a project](#robot-account) -* [Tag Retention Rules](#tag-retention-rules) -* [Webhook Notifications](#webhook-notifications) -* [Using API Explorer](#api-explorer) \ No newline at end of file