Lots more reorg

This commit is contained in:
Stuart Clements 2019-10-17 19:00:00 +02:00
parent 7d642c3d60
commit 24c48af305
20 changed files with 238 additions and 256 deletions

View File

@ -13,14 +13,17 @@ This section describes how to install Harbor and perform the required initial co
- [Run the Installer Script](install_config/installation/run_installer_script.md) - [Run the Installer Script](install_config/installation/run_installer_script.md)
- [Troubleshooting Harbor Installation - [Troubleshooting Harbor Installation
](install_config/installation/troubleshoot_installation.md) ](install_config/installation/troubleshoot_installation.md)
You can also use Helm to install Harbor on a Kubernetes cluster, to make it highly available. For information about installing Harbor with Helm on a Kubernetes cluster, see the [Harbor High Availability Guide](https://github.com/goharbor/harbor-helm/blob/master/docs/High%20Availability.md) in the https://github.com/goharbor/harbor-helm repository.
- [Configuring Harbor](install_config/configuration/_index.md) - [Configuring Harbor](install_config/configuration/_index.md)
- [Reconfigure Harbor and Manage the Harbor Lifecycle](install_config/configuration/reconfigure_manage_lifecycle.md) - [Reconfigure Harbor and Manage the Harbor Lifecycle](install_config/configuration/reconfigure_manage_lifecycle.md)
- [Configure HTTPS Access to Harbor](install_config/configuration/configure_https.md) - [Configure HTTPS Access to Harbor](install_config/configuration/configure_https.md)
- [Customize the Harbor Token Service](install_config/configuration/customize_token_service.md) - [Customize the Harbor Token Service](install_config/configuration/customize_token_service.md)
- [Configure Notary Content Trust](install_config/configuration/configure_notary_content_trust.md)
- [Access Harbor Logs](install_config/configuration/access_logs.md) - [Access Harbor Logs](install_config/configuration/access_logs.md)
- [Initial Configuration in the Harbor UI](install_config/configuration/initial_config_ui.md)
- [Configure Authentication](configure_authentication.md)
- [Other General Settings](general_settings.md)
You can also use Helm to install Harbor on a Kubernetes cluster, to make it highly available. For information about installing Harbor with Helm on a Kubernetes cluster, see the [Harbor High Availability Guide](https://github.com/goharbor/harbor-helm/blob/master/docs/High%20Availability.md) in the https://github.com/goharbor/harbor-helm repository.
## Harbor Administration ## Harbor Administration
@ -31,10 +34,18 @@ This section describes how to use and maintain Harbor after deployment. These da
- [User Permissions By Role](administration/managing_users/user_permissions_by_role.md) - [User Permissions By Role](administration/managing_users/user_permissions_by_role.md)
- [Configure Harbor User Settings at the Command Line](administration/managing_users/configure_user_settings_cli.md) - [Configure Harbor User Settings at the Command Line](administration/managing_users/configure_user_settings_cli.md)
- [Manage Roles by LDAP Group](administration/managing_users/manage_role_by_ldap_group.md) - [Manage Roles by LDAP Group](administration/managing_users/manage_role_by_ldap_group.md)
- [Configure Project Settings](administration/configure_project_settings/_index.md)
- [Set Project Quotas](administration/configure_project_settings/set_project_quotas.md)
- [Configuring Replication](administration/configuring_replication/_index.md) - [Configuring Replication](administration/configuring_replication/_index.md)
- [Create Replication Endpoints](administration/configuring_replication/create_replication_endpoints.md) - [Create Replication Endpoints](administration/configuring_replication/create_replication_endpoints.md)
- [Create Replication Rules](administration/configuring_replication/create_replication_rules.md) - [Create Replication Rules](administration/configuring_replication/create_replication_rules.md)
- [Manage Replications](administration/configuring_replication/manage_replications.md) - [Manage Replications](administration/configuring_replication/manage_replications.md)
- [Vulnerability Scanning with Clair](administration/vulnerability_scanning/_index.md)
- [Scan an Individual Image](scan_individual_image.md)
- [Scan All Images](scan_all_images.md)
- [Schedule Scans](schedule_scans.md)
- [Import Vulnerability Data to an Offline Harbor instance](import_vulnerability_data.md)
- [Garbage Collection](administration/garbage_collection/_index.md)
- [Upgrading Harbor](administration/upgrade/_index.md) - [Upgrading Harbor](administration/upgrade/_index.md)
- [Upgrade Harbor and Migrate Data](administration/upgrade/upgrade_migrate_data.md) - [Upgrade Harbor and Migrate Data](administration/upgrade/upgrade_migrate_data.md)
- [Roll Back an Upgrade](administration/upgrade/roll_back_upgrade.md) - [Roll Back an Upgrade](administration/upgrade/roll_back_upgrade.md)

View File

@ -1,5 +1,8 @@
# Harbor Administration # Harbor Administration
- [Managing Users](managing_users/_index.md) - [Managing Users](managing_users/_index.md)
- [Configure Project Settings](configure_project_settings/_index.md)
- [Configuring Replication](configuring_replication/_index.md) - [Configuring Replication](configuring_replication/_index.md)
- [Vulnerability Scanning with Clair](vulnerability_scanning/_index.md)
- [Garbage Collection](garbage_collection/_index.md)
- [Upgrading Harbor](upgrade/_index.md) - [Upgrading Harbor](upgrade/_index.md)

View File

@ -1,61 +0,0 @@
# Administrator options
### Managing registry
You can list, add, edit and delete registries under `Administration->Registries`. Only registries which are not referenced by any rules can be deleted.
![browse project](../img/manage_registry.png)
### Managing replication
### Managing authentication
You can change authentication mode between **Database**(default) and **LDAP** before any user is added, when there is at least one user(besides admin) in Harbor, you cannot change the authentication mode.
![browse project](../img/new_auth.png)
When using LDAP mode, user's self-registration is disabled. The parameters of LDAP server must be filled in. For more information, refer to [User account](#user-account).
![browse project](../img/ldap_auth.png)
When using OIDC mode, user will login Harbor via OIDC based SSO. A client has to be registered on the OIDC provider and Harbor's callback URI needs to be associated to that client as a redirectURI.
![OIDC settings](../img/oidc_auth_setting.png)
The settings of this auth mode:
* OIDC Provider Name: The name of the OIDC Provider.
* OIDC Provider Endpoint: The URL of the endpoint of the OIDC provider(a.k.a the Authorization Server in OAuth's terminology),
which must service the "well-known" URI for its configuration, more details please refer to https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationRequest
* OIDC Client ID: The ID of client configured on OIDC Provider.
* OIDC Client Secret: The secret for this client.
* OIDC Scope: The scope values to be used during the authentication. It is the comma separated string, which must contain `openid`.
Normally it should also contain `profile` and `email`. For getting the refresh token it should also contain `offline_access`. Please check with the administrator of the OIDC Provider.
* Verify Certificate: Whether to check the certificate when accessing the OIDC Provider. if you are running the OIDC Provider with self-signed
certificate, make sure this value is set to false.
### Managing project creation
Use the **Project Creation** drop-down menu to set which users can create projects. Select **Everyone** to allow all users to create projects. Select **Admin Only** to allow only users with the Administrator role to create projects.
![browse project](../img/new_proj_create.png)
### Managing self-registration
You can manage whether a user can sign up for a new account. This option is not available if you use LDAP authentication.
![browse project](../img/new_self_reg.png)
### Managing email settings
You can change Harbor's email settings, the mail server is used to send out responses to users who request to reset their password.
![browse project](../img/new_config_email.png)
### Managing registry read only
You can change Harbor's registry read only settings, read only mode will allow 'docker pull' while preventing 'docker push' and the deletion of repository and tag.
![browse project](../img/read_only.png)
If it set to true, deleting repository, tag and pushing image will be disabled.
![browse project](../img/read_only_enable.png)
```
$ docker push 10.117.169.182/demo/ubuntu:14.04
The push refers to a repository [10.117.169.182/demo/ubuntu]
0271b8eebde3: Preparing
denied: The system is in read only mode. Any modification is prohibited.
```
### Managing role by LDAP group
If auth_mode is ldap_auth, you can manage project role by LDAP/AD group. please refer [manage role by ldap group guide](manage_role_by_ldap_group.md).

View File

@ -0,0 +1,6 @@
# Configure Project Settings
Use the **Project Creation** drop-down menu to set which users can create projects. Select **Everyone** to allow all users to create projects. Select **Admin Only** to allow only users with the Administrator role to create projects.
![browse project](../img/new_proj_create.png)
[Set Project Quotas](set_project_quotas.md)

View File

@ -1,4 +1,4 @@
# Setting Project Quotas # Set Project Quotas
To exercise control over resource use, as a system administrator you can set quotas on projects. You can limit the number of tags that a project can contain and limit the amount of storage capacity that a project can consume. You can set default quotas that apply to all projects globally. To exercise control over resource use, as a system administrator you can set quotas on projects. You can limit the number of tags that a project can contain and limit the amount of storage capacity that a project can consume. You can set default quotas that apply to all projects globally.

View File

@ -35,4 +35,9 @@ To replicate image repositories from one instance of Harbor to another Harbor or
Deselect the check box if the remote registry uses a self-signed or untrusted certificate. Deselect the check box if the remote registry uses a self-signed or untrusted certificate.
1. Click **Test Connection**. 1. Click **Test Connection**.
1. When you have successfully tested the connection, click **OK**. 1. When you have successfully tested the connection, click **OK**.
## Managing Registries
You can list, add, edit and delete registries under `Administration->Registries`. Only registries which are not referenced by any rules can be deleted.
![browse project](../img/manage_registry.png)

View File

@ -5,7 +5,7 @@ Online Garbage Collection enables user to trigger docker registry garbage collec
For more information about Garbage Collection, please see [Garbage Collection](https://github.com/docker/docker.github.io/blob/master/registry/garbage-collection.md). For more information about Garbage Collection, please see [Garbage Collection](https://github.com/docker/docker.github.io/blob/master/registry/garbage-collection.md).
### Setting up Garbage Collection ## Set up Garbage Collection
If you are a system admin, you can trigger garbage collection by clicking "GC Now" in the **'Garbage Collection'** tab of **'Configuration'** section under **'Administration'**. If you are a system admin, you can trigger garbage collection by clicking "GC Now" in the **'Garbage Collection'** tab of **'Configuration'** section under **'Administration'**.
![browse project](../img/gc_now.png) ![browse project](../img/gc_now.png)
@ -14,14 +14,14 @@ If you are a system admin, you can trigger garbage collection by clicking "GC No
To avoid frequently triggering the garbage collection process, the availability of the button is restricted. It can be only triggered once in one minute. To avoid frequently triggering the garbage collection process, the availability of the button is restricted. It can be only triggered once in one minute.
![browse project](../img/gc_now2.png) ![browse project](../img/gc_now2.png)
**Scheduled Garbage Collection by Policy** ## Scheduled Garbage Collection by Policy
* **None:** No policy is selected. * **None:** No policy is selected.
* **Daily:** Policy is activated daily. It means an analysis job is scheduled to be executed at the specified time everyday. The scheduled job will do garbage collection in Harbor. * **Daily:** Policy is activated daily. It means an analysis job is scheduled to be executed at the specified time everyday. The scheduled job will do garbage collection in Harbor.
* **Weekly:** Policy is activated weekly. It means an analysis job is scheduled to be executed at the specified time every week. The scheduled job will do garbage collection in Harbor. * **Weekly:** Policy is activated weekly. It means an analysis job is scheduled to be executed at the specified time every week. The scheduled job will do garbage collection in Harbor.
Once the policy has been configured, you have the option to save the schedule. Once the policy has been configured, you have the option to save the schedule.
![browse project](../img/gc_policy.png) ![browse project](../img/gc_policy.png)
### Garbage Collection history ## Garbage Collection history
If you are a system admin, you can view the latest 10 records of garbage collection execution. If you are a system admin, you can view the latest 10 records of garbage collection execution.
![browse project](../img/gc_history.png) ![browse project](../img/gc_history.png)

View File

@ -19,81 +19,4 @@ For full details of the permissions of the different roles, see [User Permission
## Managing user ## Managing user
Administrator can add "Administrator" role to one or more ordinary users by checking checkboxes and clicking `SET AS ADMINISTRATOR`. To delete users, checked checkboxes and select `DELETE`. Deleting user is only supported under database authentication mode. Administrator can add "Administrator" role to one or more ordinary users by checking checkboxes and clicking `SET AS ADMINISTRATOR`. To delete users, checked checkboxes and select `DELETE`. Deleting user is only supported under database authentication mode.
![browse project](../img/new_set_admin_remove_user.png) ![browse project](../img/new_set_admin_remove_user.png)
## User account
Harbor supports different authentication modes:
* **Database(db_auth)**
Users are stored in the local database.
A user can register himself/herself in Harbor in this mode. To disable user self-registration, refer to the [installation guide](installation_guide.md) for initial configuration, or disable this feature in [Administrator Options](#administrator-options). When self-registration is disabled, the system administrator can add users into Harbor.
When registering or adding a new user, the username and email must be unique in the Harbor system. The password must contain at least 8 characters with 1 lowercase letter, 1 uppercase letter and 1 numeric character.
When you forgot your password, you can follow the below steps to reset the password:
1. Click the link "Forgot Password" in the sign in page.
2. Input the email address entered when you signed up, an email will be sent out to you for password reset.
3. After receiving the email, click on the link in the email which directs you to a password reset web page.
4. Input your new password and click "Save".
* **LDAP/Active Directory (ldap_auth)**
Under this authentication mode, users whose credentials are stored in an external LDAP or AD server can log in to Harbor directly.
When an LDAP/AD user logs in by *username* and *password*, Harbor binds to the LDAP/AD server with the **"LDAP Search DN"** and **"LDAP Search Password"** described in [installation guide](installation_guide.md). If it succeeded, Harbor looks up the user under the LDAP entry **"LDAP Base DN"** including substree. The attribute (such as uid, cn) specified by **"LDAP UID"** is used to match a user with the *username*. If a match is found, the user's *password* is verified by a bind request to the LDAP/AD server. Uncheck **"LDAP Verify Cert"** if the LDAP/AD server uses a self-signed or an untrusted certificate.
Self-registration, deleting user, changing password and resetting password are not supported under LDAP/AD authentication mode because the users are managed by LDAP or AD.
* **OIDC Provider (oidc_auth)**
With this authentication mode, regular user will login to Harbor Portal via SSO flow.
After the system administrator configure Harbor to authenticate via OIDC (more details refer to [this section](#managing-authentication)),
a button `LOGIN VIA OIDC PROVIDER` will appear on the login page.
![oidc_login](../img/oidc_login.png)
By clicking this button user will kick off the SSO flow and be redirected to the OIDC Provider for authentication. After a successful
authentication at the remote site, user will be redirected to Harbor. There will be an "onboard" step if it's the first time the user
authenticate using his account, in which there will be a dialog popped up for him to set his user name in Harbor:
![oidc_onboar](../img/oidc_onboard_dlg.png)
This user name will be the identifier for this user in Harbor, which will be used in the cases such as adding member to a project, assigning roles, etc.
This has to be a unique user name, if another user has used this user name to onboard, user will be prompted to choose another one.
Regarding this user to use docker CLI, please refer to [Using CLI after login via OIDC based SSO](#using-oidc-cli-secret)
**NOTE:**
1. After the onboard process, you still have to login to Harbor via SSO flow, the `Username` and `Password` fields are only for
local admin to login when Harbor is configured authentication via OIDC.
2. Similar to LDAP authentication mode, self-registration, updating profile, deleting user, changing password and
resetting password are not supported.
## Using OIDC CLI secret
Having authenticated via OIDC SSO and onboarded to Harbor, you can use Docker/Helm CLI to access Harbor to read/write the artifacts.
As the CLI cannot handle redirection for SSO, we introduced `CLI secret`, which is only available when Harbor's authentication mode
is configured to OIDC based.
After logging into Harbor, click the drop down list to view user's profile:
![user_profile](../img/user_profile.png)
You can copy your CLI secret via the dialog of profile:
![profile_dlg](../img/profile_dlg.png)
After that you can authenticate using your user name in Harbor that you set during onboard process, and CLI secret as the password
with Docker/Helm CLI, for example:
```sh
docker login -u testuser -p xxxxxx jt-test.local.goharbor.io
```
When you click the "..." icon in the profile dialog, a button for generating new CLI secret will appear, and you can generate a new
CLI secret by clicking this button. Please be reminded one user can only have one CLI secret, so when a new secret is generated, the
old one becomes invalid at once.
**NOTE**:
Under the hood the CLI secret is associated with the ID token, and Harbor will try to refresh the token, so the CLI secret will
be valid after th ID token expires. However, if the OIDC Provider does not provide refresh token or the refresh fails for some
reason, the CLI secret will become invalid. In that case you can logout and login Harbor via SSO flow again so Harbor can get a
new ID token and the CLI secret will work again.

View File

@ -0,0 +1,22 @@
# Vulnerability Scanning with Clair
**CAUTION: Clair is an optional component, please make sure you have already installed it in your Harbor instance before you go through this section.**
Static analysis of vulnerabilities is provided through open source project [Clair](https://github.com/coreos/clair). You can initiate scanning on a particular image, or on all images in Harbor. Additionally, you can also set a policy to scan all the images at a specified time everyday.
- [Scan an Individual Image](scan_individual_image.md)
- [Scan All Images](scan_all_images.md)
- [Schedule Scans](schedule_scans.md)
**Vulnerability metadata**
Clair depends on the vulnerability metadata to complete the analysis process. After the first initial installation, Clair will automatically start to update the metadata database from different vulnerability repositories. The updating process may take a while based on the data size and network connection. If the database has not been fully populated, there is a warning message at the footer of the repository datagrid view.
![browse project](../img/clair_not_ready.png)
The 'database not fully ready' warning message is also displayed in the **'Vulnerability'** tab of **'Configuration'** section under **'Administration'** for your awareness.
![browse project](../img/clair_not_ready2.png)
Once the database is ready, an overall database updated timestamp will be shown in the **'Vulnerability'** tab of **'Configuration'** section under **'Administration'**.
![browse project](../img/clair_ready.png)
If your Harbor instance is not connected to the external internet, you must manually update the vulnerability metadata. For information about how to update Clair manually, see [Import Vulnerability Data to an Offline Harbor instance](import_vulnerability_data.md).

View File

@ -1,4 +1,4 @@
## Update an offline Harbor instance with new vulnerability data # Import Vulnerability Data to an Offline Harbor instance
Harbor has integrated with Clair to scan vulnerabilities in images. When Harbor is installed in an environment without internet connection, Clair cannot fetch data from the public vulnerability database. Under this circumstance, Harbor administrator needs to manually update the Clair database. Harbor has integrated with Clair to scan vulnerabilities in images. When Harbor is installed in an environment without internet connection, Clair cannot fetch data from the public vulnerability database. Under this circumstance, Harbor administrator needs to manually update the Clair database.

View File

@ -0,0 +1,9 @@
# Scan All Images
In the **'Vulnerability'** tab of **'Configuration'** section under **'Administration'**, click on the **'SCAN NOW'** button to start the analysis process for all the existing images.
**NOTES: The scanning process is executed via multiple concurrent asynchronous tasks. There is no guarantee on the order of scanning or the returned results.**
![browse project](../img/scan_all.png)
To avoid frequently triggering the resource intensive scanning process, the availability of the button is restricted. It can be only triggered once in a predefined period. The next available time will be displayed besides the button.
![browse project](../img/scan_all2.png)

View File

@ -0,0 +1,32 @@
# Scan an Individual Image
Enter your project, select the repository. For each tag there will be an 'Vulnerability' column to display vulnerability scanning status and related information. You can select the image and click the "SCAN" button to trigger the vulnerability scan process.
![browse project](../img/scan_image.png)
**NOTES: Only the users with 'Project Admin' role have the privilege to launch the analysis process.**
The analysis process may have the following status that are indicated in the 'Vulnerability' column:
* **Not Scanned:** The tag has never been scanned.
* **Queued:** The scanning task is scheduled but not executed yet.
* **Scanning:** The scanning process is in progress.
* **Error:** The scanning process failed to complete.
* **Complete:** The scanning process was successfully completed.
For the **'Not Scanned'** and **'Queued'** statuses, a text label with status information is shown. For the **'Scanning'**, a progress bar will be displayed.
If an error occurred, you can click on the **'View Log'** link to view the related logs.
![browse project](../img/log_viewer.png)
If the process was successfully completed, a result bar is created. The width of the different colored sections indicates the percentage of features with vulnerabilities for a particular severity level.
* **Red:** **High** level of vulnerabilities
* **Orange:** **Medium** level of vulnerabilities
* **Yellow:** **Low** level of vulnerabilities
* **Grey:** **Unknown** level of vulnerabilities
* **Green:** **No** vulnerabilities
![browse project](../img/bar_chart.png)
Move the cursor over the bar, a tooltip with summary report will be displayed. Besides showing the total number of features with vulnerabilities and the total number of features in the scanned image tag, the report also lists the counts of features with vulnerabilities of different severity levels. The completion time of the last analysis process is shown at the bottom of the tooltip.
![browse project](../img/summary_tooltip.png)
Click on the tag name link, the detail page will be opened. Besides the information about the tag, all the vulnerabilities found in the last analysis process will be listed with the related information. You can order or filter the list by columns.
![browse project](../img/tag_detail.png)
**NOTES: You can initiate the vulnerability analysis for a tag at anytime you want as long as the status is not 'Queued' or 'Scanning'.**

View File

@ -0,0 +1,8 @@
# Schedule Scans
You can set policies to control the vulnerability analysis process. Currently, two options are available:
* **None:** No policy is selected.
* **Daily:** Policy is activated daily. It means an analysis job is scheduled to be executed at the specified time everyday. The scheduled job will scan all the images in Harbor.
![browse project](../img/scan_policy.png)
**NOTES: Once the scheduled job is executed, the completion time of scanning all images will be updated accordingly. Please be aware that the completion time of the images may be different because the execution of analysis for each image may be carried out at different time.**

View File

@ -1,68 +0,0 @@
# Vulnerability Scanning with Clair
**CAUTION: Clair is an optional component, please make sure you have already installed it in your Harbor instance before you go through this section.**
Static analysis of vulnerabilities is provided through open source project [Clair](https://github.com/coreos/clair). You can initiate scanning on a particular image, or on all images in Harbor. Additionally, you can also set a policy to scan all the images at a specified time everyday.
**Vulnerability metadata**
Clair depends on the vulnerability metadata to complete the analysis process. After the first initial installation, Clair will automatically start to update the metadata database from different vulnerability repositories. The updating process may take a while based on the data size and network connection. If the database has not been fully populated, there is a warning message at the footer of the repository datagrid view.
![browse project](../img/clair_not_ready.png)
The 'database not fully ready' warning message is also displayed in the **'Vulnerability'** tab of **'Configuration'** section under **'Administration'** for your awareness.
![browse project](../img/clair_not_ready2.png)
Once the database is ready, an overall database updated timestamp will be shown in the **'Vulnerability'** tab of **'Configuration'** section under **'Administration'**.
![browse project](../img/clair_ready.png)
**Scanning an image**
Enter your project, select the repository. For each tag there will be an 'Vulnerability' column to display vulnerability scanning status and related information. You can select the image and click the "SCAN" button to trigger the vulnerability scan process.
![browse project](../img/scan_image.png)
**NOTES: Only the users with 'Project Admin' role have the privilege to launch the analysis process.**
The analysis process may have the following status that are indicated in the 'Vulnerability' column:
* **Not Scanned:** The tag has never been scanned.
* **Queued:** The scanning task is scheduled but not executed yet.
* **Scanning:** The scanning process is in progress.
* **Error:** The scanning process failed to complete.
* **Complete:** The scanning process was successfully completed.
For the **'Not Scanned'** and **'Queued'** statuses, a text label with status information is shown. For the **'Scanning'**, a progress bar will be displayed.
If an error occurred, you can click on the **'View Log'** link to view the related logs.
![browse project](../img/log_viewer.png)
If the process was successfully completed, a result bar is created. The width of the different colored sections indicates the percentage of features with vulnerabilities for a particular severity level.
* **Red:** **High** level of vulnerabilities
* **Orange:** **Medium** level of vulnerabilities
* **Yellow:** **Low** level of vulnerabilities
* **Grey:** **Unknown** level of vulnerabilities
* **Green:** **No** vulnerabilities
![browse project](../img/bar_chart.png)
Move the cursor over the bar, a tooltip with summary report will be displayed. Besides showing the total number of features with vulnerabilities and the total number of features in the scanned image tag, the report also lists the counts of features with vulnerabilities of different severity levels. The completion time of the last analysis process is shown at the bottom of the tooltip.
![browse project](../img/summary_tooltip.png)
Click on the tag name link, the detail page will be opened. Besides the information about the tag, all the vulnerabilities found in the last analysis process will be listed with the related information. You can order or filter the list by columns.
![browse project](../img/tag_detail.png)
**NOTES: You can initiate the vulnerability analysis for a tag at anytime you want as long as the status is not 'Queued' or 'Scanning'.**
**Scanning all images**
In the **'Vulnerability'** tab of **'Configuration'** section under **'Administration'**, click on the **'SCAN NOW'** button to start the analysis process for all the existing images.
**NOTES: The scanning process is executed via multiple concurrent asynchronous tasks. There is no guarantee on the order of scanning or the returned results.**
![browse project](../img/scan_all.png)
To avoid frequently triggering the resource intensive scanning process, the availability of the button is restricted. It can be only triggered once in a predefined period. The next available time will be displayed besides the button.
![browse project](../img/scan_all2.png)
**Scheduled Scan by Policy**
You can set policies to control the vulnerability analysis process. Currently, two options are available:
* **None:** No policy is selected.
* **Daily:** Policy is activated daily. It means an analysis job is scheduled to be executed at the specified time everyday. The scheduled job will scan all the images in Harbor.
![browse project](../img/scan_policy.png)
**NOTES: Once the scheduled job is executed, the completion time of scanning all images will be updated accordingly. Please be aware that the completion time of the images may be different because the execution of analysis for each image may be carried out at different time.**

View File

@ -1,8 +1,9 @@
# Configuring Harbor # Configuring Harbor
After you have deployed Harbor, you can perform certain post-deployment configuration operations. After you have deployed Harbor, you must perform certain post-deployment configuration operations.
- [Reconfigure Harbor and Manage the Harbor Lifecycle](reconfigure_manage_lifecycle.md) - [Reconfigure Harbor and Manage the Harbor Lifecycle](reconfigure_manage_lifecycle.md)
- [Configure HTTPS Access to Harbor](configure_https.md) - [Configure HTTPS Access to Harbor](configure_https.md)
- [Customize the Harbor Token Service](customize_token_service.md) - [Customize the Harbor Token Service](customize_token_service.md)
- [Access Harbor Logs](access_logs.md) - [Access Harbor Logs](access_logs.md)
- [Initial Configuration in the Harbor UI](initial_config_ui.md)

View File

@ -0,0 +1,100 @@
# Configure Authentication
You can change authentication mode between **Database**(default) and **LDAP** before any user is added, when there is at least one user(besides admin) in Harbor, you cannot change the authentication mode.
![browse project](../img/new_auth.png)
When using LDAP mode, user's self-registration is disabled. The parameters of LDAP server must be filled in. For more information, refer to [User account](#user-account).
![browse project](../img/ldap_auth.png)
When using OIDC mode, user will login Harbor via OIDC based SSO. A client has to be registered on the OIDC provider and Harbor's callback URI needs to be associated to that client as a redirectURI.
![OIDC settings](../img/oidc_auth_setting.png)
The settings of this auth mode:
* OIDC Provider Name: The name of the OIDC Provider.
* OIDC Provider Endpoint: The URL of the endpoint of the OIDC provider(a.k.a the Authorization Server in OAuth's terminology),
which must service the "well-known" URI for its configuration, more details please refer to https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationRequest
* OIDC Client ID: The ID of client configured on OIDC Provider.
* OIDC Client Secret: The secret for this client.
* OIDC Scope: The scope values to be used during the authentication. It is the comma separated string, which must contain `openid`.
Normally it should also contain `profile` and `email`. For getting the refresh token it should also contain `offline_access`. Please check with the administrator of the OIDC Provider.
* Verify Certificate: Whether to check the certificate when accessing the OIDC Provider. if you are running the OIDC Provider with self-signed
certificate, make sure this value is set to false.
## User account
Harbor supports different authentication modes:
* **Database(db_auth)**
Users are stored in the local database.
A user can register himself/herself in Harbor in this mode. To disable user self-registration, refer to the [installation guide](installation_guide.md) for initial configuration, or disable this feature in [Administrator Options](#administrator-options). When self-registration is disabled, the system administrator can add users into Harbor.
When registering or adding a new user, the username and email must be unique in the Harbor system. The password must contain at least 8 characters with 1 lowercase letter, 1 uppercase letter and 1 numeric character.
When you forgot your password, you can follow the below steps to reset the password:
1. Click the link "Forgot Password" in the sign in page.
2. Input the email address entered when you signed up, an email will be sent out to you for password reset.
3. After receiving the email, click on the link in the email which directs you to a password reset web page.
4. Input your new password and click "Save".
* **LDAP/Active Directory (ldap_auth)**
Under this authentication mode, users whose credentials are stored in an external LDAP or AD server can log in to Harbor directly.
When an LDAP/AD user logs in by *username* and *password*, Harbor binds to the LDAP/AD server with the **"LDAP Search DN"** and **"LDAP Search Password"** described in [installation guide](installation_guide.md). If it succeeded, Harbor looks up the user under the LDAP entry **"LDAP Base DN"** including substree. The attribute (such as uid, cn) specified by **"LDAP UID"** is used to match a user with the *username*. If a match is found, the user's *password* is verified by a bind request to the LDAP/AD server. Uncheck **"LDAP Verify Cert"** if the LDAP/AD server uses a self-signed or an untrusted certificate.
Self-registration, deleting user, changing password and resetting password are not supported under LDAP/AD authentication mode because the users are managed by LDAP or AD.
* **OIDC Provider (oidc_auth)**
With this authentication mode, regular user will login to Harbor Portal via SSO flow.
After the system administrator configure Harbor to authenticate via OIDC (more details refer to [this section](#managing-authentication)),
a button `LOGIN VIA OIDC PROVIDER` will appear on the login page.
![oidc_login](../img/oidc_login.png)
By clicking this button user will kick off the SSO flow and be redirected to the OIDC Provider for authentication. After a successful
authentication at the remote site, user will be redirected to Harbor. There will be an "onboard" step if it's the first time the user
authenticate using his account, in which there will be a dialog popped up for him to set his user name in Harbor:
![oidc_onboar](../img/oidc_onboard_dlg.png)
This user name will be the identifier for this user in Harbor, which will be used in the cases such as adding member to a project, assigning roles, etc.
This has to be a unique user name, if another user has used this user name to onboard, user will be prompted to choose another one.
Regarding this user to use docker CLI, please refer to [Using CLI after login via OIDC based SSO](#using-oidc-cli-secret)
**NOTE:**
1. After the onboard process, you still have to login to Harbor via SSO flow, the `Username` and `Password` fields are only for
local admin to login when Harbor is configured authentication via OIDC.
2. Similar to LDAP authentication mode, self-registration, updating profile, deleting user, changing password and
resetting password are not supported.
## Using OIDC CLI secret
Having authenticated via OIDC SSO and onboarded to Harbor, you can use Docker/Helm CLI to access Harbor to read/write the artifacts.
As the CLI cannot handle redirection for SSO, we introduced `CLI secret`, which is only available when Harbor's authentication mode
is configured to OIDC based.
After logging into Harbor, click the drop down list to view user's profile:
![user_profile](../img/user_profile.png)
You can copy your CLI secret via the dialog of profile:
![profile_dlg](../img/profile_dlg.png)
After that you can authenticate using your user name in Harbor that you set during onboard process, and CLI secret as the password
with Docker/Helm CLI, for example:
```sh
docker login -u testuser -p xxxxxx jt-test.local.goharbor.io
```
When you click the "..." icon in the profile dialog, a button for generating new CLI secret will appear, and you can generate a new
CLI secret by clicking this button. Please be reminded one user can only have one CLI secret, so when a new secret is generated, the
old one becomes invalid at once.
**NOTE**:
Under the hood the CLI secret is associated with the ID token, and Harbor will try to refresh the token, so the CLI secret will
be valid after th ID token expires. However, if the OIDC Provider does not provide refresh token or the refresh fails for some
reason, the CLI secret will become invalid. In that case you can logout and login Harbor via SSO flow again so Harbor can get a
new ID token and the CLI secret will work again.
Title
Text

View File

@ -1,4 +1,4 @@
### Setup # Configure Notary Content Trust
In harbor.yml, make sure https is enabled, and the attributes `ssl_cert` and `ssl_cert_key` are pointed to valid certificates. For more information about generating https certificate please refer to: [Configuring HTTPS for Harbor](configure_https.md) In harbor.yml, make sure https is enabled, and the attributes `ssl_cert` and `ssl_cert_key` are pointed to valid certificates. For more information about generating https certificate please refer to: [Configuring HTTPS for Harbor](configure_https.md)

View File

@ -0,0 +1,24 @@
# Other General Settings
## Managing self-registration
You can manage whether a user can sign up for a new account. This option is not available if you use LDAP authentication.
![browse project](../img/new_self_reg.png)
## Managing email settings
You can change Harbor's email settings, the mail server is used to send out responses to users who request to reset their password.
![browse project](../img/new_config_email.png)
## Managing registry read only
You can change Harbor's registry read only settings, read only mode will allow 'docker pull' while preventing 'docker push' and the deletion of repository and tag.
![browse project](../img/read_only.png)
If it set to true, deleting repository, tag and pushing image will be disabled.
![browse project](../img/read_only_enable.png)
```
$ docker push 10.117.169.182/demo/ubuntu:14.04
The push refers to a repository [10.117.169.182/demo/ubuntu]
0271b8eebde3: Preparing
denied: The system is in read only mode. Any modification is prohibited.
```

View File

@ -0,0 +1,5 @@
# Initial Configuration in the Harbor UI
- [Configure Authentication](configure_authentication.md)
- [Other General Settings](general_settings.md)

View File

@ -1,38 +0,0 @@
# User Guide
## Overview
This guide walks you through the fundamentals of using Harbor. You'll learn how to use Harbor to:
* [Manage your projects](#managing-projects)
* [Manage members of a project](#managing-members-of-a-project)
* [Replicate resources between Harbor and non-Harbor registries](#replicating-resources)
* [Retag images within Harbor](#retag-images)
* [Search projects and repositories](#searching-projects-and-repositories)
* [Manage labels](#managing-labels)
* [Configure CVE Whitelists](#configure-cve-whitelists)
* [Set Project Quotas](#set-project-quotas)
* [Manage Harbor system if you are the system administrator:](#administrator-options)
* [Manage users](#managing-user)
* [Manage registries](#managing-registry)
* [Manage replication rules](#managing-replication)
* [Manage authentication](#managing-authentication)
* [Manage project creation](#managing-project-creation)
* [Manage self-registration](#managing-self-registration)
* [Manage email settings](#managing-email-settings)
* [Manage registry read only](#managing-registry-read-only)
* [Manage role by LDAP group](#managing-role-by-ldap-group)
* [Pull and push images using Docker client](#pulling-and-pushing-images-using-docker-client)
* [Add description to repositories](#add-description-to-repositories)
* [Delete repositories and images](#deleting-repositories)
* [Content trust](#content-trust)
* [Vulnerability scanning via Clair](#vulnerability-scanning-via-clair)
* [Pull image from Harbor in Kubernetes](#pull-image-from-harbor-in-kubernetes)
* [Manage Helm Charts](#manage-helm-charts)
* [Manage Helm Charts via portal](#manage-helm-charts-via-portal)
* [Working with Helm CLI](#working-with-helm-cli)
* [Online Garbage Collection](#online-garbage-collection)
* [View build history](#build-history)
* [Using CLI after login via OIDC based SSO](#using-oidc-cli-secret)
* [Manage robot account of a project](#robot-account)
* [Tag Retention Rules](#tag-retention-rules)
* [Webhook Notifications](#webhook-notifications)
* [Using API Explorer](#api-explorer)