Doc updates for 1.10 (#10029)

* Updated doc to include Limited Guest

* Added example for limited guest.

* Updated vulnerability scanning docs for 1.10.

* Updated GC docs to reflect new position in UI

* Updated project quota doc to reflect new position in UI

* Added some doc about tag immutability

* Fixed index

* Formatting

* Added new replication endpoints

* Added project quota webhook

* Review comments from Alex

* Clarified Clair requirement for additional scanners

* Some formatting and edits in vulnerability section

* Updated tag retention doc to reflect new UI

* Updated tag immutability to reflect new UI

* New screencaps

* Updated robot accounts doc for new UI and rewrote

* Formatting

* Updated webhooks doc for new UI

* Formatting

* Updated Logs doc for new UI

* Formatting

* New screencaps

* Added tag immutability to permissions document

* Corrected immutability permissions

* Added explanation for project quotas

* Fixed typo

* Linked to new compatibility list document

* Comments from Alex

* Comments from Steven and Wang

* Removed mention of the ellipsis in project menu

* Reverting some screencaps to remove ellipsis

* Reverted log screencaps to remove ellipsis

* Minor rewording

* Fixed caps

* More cap fixing

* Added info about self-registration, rewrote db auth doc

* Attempting to document *.asc key

* Added that negligible vulnerabilities are ignored, rewrote

* Formatting

* Added scanner permissions to table

* Clarified labelling and replication

* Rewrote replication docs

* Formatting

* Typo

* Rearranged content

* Updated ASC key docs

* formatting

* Minor rewording

* Rewrote LDAP section

* minor edits

* Added OIDC groups, rewrote OIDC docs

* formatting

* Mentioned memberof for OIDC.

* Comments from steven

* Added info about insecure registries

* Added tag immutability example

* Removed UAA from install guide

* Cleaned up headers

* More clean up of headers

* Recommended not to use UAA

* Added user-generated CLI secret

* Adding stray screencap

docs/import_vulnerability_data.md

@@ -1,6 +1,6 @@
 ## Update an offline Harbor instance with new vulnerability data
 
-Harbor has integrated with Clair to scan vulnerabilities in images. When Harbor is installed in an environment without internet connection, Clair cannot fetch data from the public vulnerability database. Under this circumstance, Harbor administrator needs to manually update the Clair database.
+Harbor has integrated with Clair to scan vulnerabilities in images. When Harbor is installed in an environment without internet connection, Clair cannot fetch data from the public vulnerability database. Under this circumstance, Harbor system administrator needs to manually update the Clair database.
 
 This document provides step-by-step instructions on updating Clair vulnerability database in Harbor.
 

docs/installation_guide.md

@@ -1,4 +1,4 @@
-# Installation and Configuration Guide
+# Harbor Installation and Configuration Guide
 
 There are two possibilities when installing Harbor.
 
@@ -72,10 +72,34 @@ The installation procedure involves the following steps:
 2. Configure the **harbor.yml** file.
 3. Run the **install.sh** script with the appropriate options to install and start Harbor.
 
-## Download the Installer
+## Download and Unpack the Installer
 
 1. Go to the [Harbor releases page](https://github.com/goharbor/harbor/releases). 
-1. Select either the online or offline installer for the version you want to install.
+1. Download either the online or offline installer for the version you want to install.
+1. Optionally download the corresponding `*.asc` file to verify that the package is genuine. 
+  
+   The `*.asc` file is an OpenPGP key file. Perform the following steps to verify that the downloaded bundle is genuine. 
+   
+   1. Obtain the public key for the `*.asc` file.
+      
+      <pre>gpg --keyserver hkps://keyserver.ubuntu.com --receive-keys 644FF454C0B4115C</pre>
+      
+      You should see the message ` public key "Harbor-sign (The key for signing Harbor build) <jiangd@vmware.com>" imported`
+   1. Verify that the package is genuine by running one of the following commands.
+
+      - Online installer: <pre>gpg -v --keyserver hkps://keyserver.ubuntu.com --verify harbor-online-installer-<i>version</i>.tgz.asc</pre>
+      - Offline installer: <pre>gpg -v --keyserver hkps://keyserver.ubuntu.com --verify harbor-offline-installer-<i>version</i>.tgz.asc</pre>
+      
+      The `gpg` command verifies that the signature of the bundle matches that of the `*.asc` key file. You should see confirmation that the signature is correct.
+      
+      <pre>
+      gpg: armor header: Version: GnuPG v1
+      gpg: assuming signed data in 'harbor-offline-installer-v1.10.0-rc2.tgz'
+      gpg: Signature made Fri, Dec  6, 2019  5:04:17 AM WEST
+      gpg:                using RSA key 644FF454C0B4115C
+      gpg: using pgp trust model
+      gpg: Good signature from "Harbor-sign (The key for signing Harbor build) &lt;jiangd@vmware.com&gt; [unknown]
+      </pre>
 1. Use `tar` to extract the installer package:
 
    - Online installer:<pre>bash $ tar xvf harbor-online-installer-<em>version</em>.tgz</pre>
@@ -133,7 +157,7 @@ You can use certificates that are signed by a trusted third-party CA, or you can
   <tr>
     <td valign="top"><code>harbor_admin_password</code></td>
     <td valign="top">None</td>
-    <td valign="top">Set an initial password for the Harbor administrator. This password is only used on the first time that Harbor starts. On subsequent logins, this setting is ignored and the administrator's password is set in the Harbor Portal. The default username and password are <code>admin</code> and <code>Harbor12345</code>.</td>
+    <td valign="top">Set an initial password for the Harbor system administrator. This password is only used on the first time that Harbor starts. On subsequent logins, this setting is ignored and the administrator's password is set in the Harbor Portal. The default username and password are <code>admin</code> and <code>Harbor12345</code>.</td>
   </tr>
   <tr>
     <td valign="top"><code>database</code></td>
@@ -373,18 +397,10 @@ The following table lists the additional, optional parameters that you can set t
     <td valign="top"><code>chartmuseum_db_index</code></td>
     <td valign="top">Database index for Chart museum.</td>
   </tr>
-  <tr>
-    <td valign="top"><code>uaa</code></td>
-    <td valign="top">&nbsp;</td>
-    <td valign="top">Enable UAA to trust the certificate of a UAA instance that is hosted via a self-signed certificate.</td>
-  </tr>
-  <tr>
-    <td valign="top">&nbsp;</td>
-    <td valign="top"><code>ca_file</code></td>
-    <td valign="top">The path to the self-signed certificate of the UAA instance, for example <code>/path/to/ca</code>.</td>
-  </tr>
 </table>
 
+**NOTE**: The `harbor.yml` file includes options to configure a UAA CA certificate. This authentication mode is not recommended and is not documented.
+
 <a id="backend"></a>
 ### Configuring a Storage Backend 
 
@@ -406,7 +422,7 @@ storage_service:
 ```
 
 
-## Installating and starting Harbor
+## Installing and starting Harbor
 
 Once you have configured **harbor.yml** optionally set up a storage backend, you install and start Harbor by using the `install.sh` script. Note that it might take some time for the online installer to download all of the `Harbor images from Docker hub.
 
@@ -435,8 +451,6 @@ $ docker login reg.yourdomain.com
 $ docker push reg.yourdomain.com/myproject/myrepo:mytag
 ```
 
-**IMPORTANT:** If your installation of Harbor uses HTTP, you must add the option `--insecure-registry` to your client's Docker daemon and restart the Docker service.
-
 ### Installation with Notary
 
 To install Harbor with the Notary service, add the `--with-notary` parameter when you run `install.sh`:
@@ -475,6 +489,31 @@ If you want to install all three of Notary, Clair and chart repository service,
     $ sudo ./install.sh --with-notary --with-clair --with-chartmuseum
 ```
 
+<a id="connect_http"></a>
+## Connecting to Harbor via HTTP
+
+**IMPORTANT:** If your installation of Harbor uses HTTP rather than HTTPS, you must add the option `--insecure-registry` to your client's Docker daemon. By default, the daemon file is located at `/etc/docker/daemon.json`.
+
+For example, add the following to your `daemon.json` file:
+
+<pre>
+{
+"insecure-registries" : ["<i>myregistrydomain.com</i>:5000", "0.0.0.0"]
+}
+</pre>
+
+After you update `daemon.json`, you must restart both Docker Engine and Harbor.
+
+1. Restart Docker Engine.
+
+   `systemctl restart docker`
+1. Stop Harbor.
+
+   `docker-compose down -v`
+1. Restart Harbor.
+
+   `docker-compose up -d`
+
 ## Using Harbor
 
 For information on how to use Harbor, see the **[Harbor User Guide](user_guide.md)** .

docs/manage_role_by_ldap_group.md

@@ -1,57 +1,12 @@
 ## Introduction
 
-This guide provides instructions to manage roles by LDAP/AD group. You can import an LDAP/AD group to Harbor and assign project roles to it. All LDAP/AD users in this LDAP/AD group have assigned roles.
+You can import an LDAP/AD group to Harbor and assign project roles to it. All LDAP/AD users in this LDAP/AD group have assigned roles.
 
-## Prerequisite
-
-1. Harbor's auth_mode is ldap_auth and **[basic LDAP configure parameters](https://github.com/vmware/harbor/blob/master/docs/installation_guide.md#optional-parameters)** are configured.
-1. Memberof overlay
-
-    This feature requires the LDAP/AD server enabled the feature **memberof overlay**. 
-    With this feature, the LDAP/AD user entity's attribute **memberof** is updated when the group entity's **member** attribute is updated. For example, adding or removing an LDAP/AD user from the LDAP/AD group.
-
-    * OpenLDAP -- Refer this **[guide](https://technicalnotes.wordpress.com/2014/04/19/openldap-setup-with-memberof-overlay/)** to enable and verify **memberof overlay**
-    * Active Directory -- this feature is enabled by default.
-
-## Configure LDAP group settings
-
-Besides **[basic LDAP configure parameters](https://github.com/vmware/harbor/blob/master/docs/installation_guide.md#optional-parameters)** , LDAP group related configure parameters should be configured, they can be configured before or after installation
-
-  1. Configure LDAP parameters via API, refer to **[Config Harbor user settings by command line](configure_user_settings.md)**
+**NOTE**: Information about how to configure LDAP Groups in the Harbor interface has migrated to the [Harbor User Guide](user_guide.md).
+    
+To configure LDAP parameters via the API, see **[Configure Harbor User Settings from the Command Line](configure_user_settings.md)**
 
 For example:
 ```
 curl -X PUT -u "<username>:<password>" -H "Content-Type: application/json" -ki https://harbor.sample.domain/api/configurations -d'{"ldap_group_basedn":"ou=groups,dc=example,dc=com"}'
-```   
-The following parameters are related to LDAP group configuration.
-   * ldap_group_basedn -- The base DN from which to lookup a group in LDAP/AD, for example: ou=groups,dc=example,dc=com
-   * ldap_group_filter -- The filter to search LDAP/AD group, for example: objectclass=groupOfNames 
-   * ldap_group_gid    -- The attribute used to name an LDAP/AD group, for example: cn 
-   * ldap_group_scope  -- The scope to search for LDAP/AD groups. 0-LDAP_SCOPE_BASE, 1-LDAP_SCOPE_ONELEVEL, 2-LDAP_SCOPE_SUBTREE 
-
-  2. Or change configure parameter in web console after installation. Go to "Administration" -> "Configuration" -> "Authentication" and change following settings.
-   - LDAP Group Base DN -- ldap_group_basedn in the Harbor user settings
-   - LDAP Group Filter  -- ldap_group_filter in the Harbor user settings
-   - LDAP Group GID     -- ldap_group_gid in the Harbor user settings
-   - LDAP Group Scope   -- ldap_group_scope in the Harbor user settings
-   - LDAP Groups With Admin Privilege -- Specify an LDAP/AD group DN, all LDAPA/AD users in this group have harbor admin privileges.
-
-![Screenshot of LDAP group config](img/group/ldap_group_config.png)
-
-## Assign project role to LDAP/AD group
-
-In "Project" -> "Members" -> "+ GROUP".
-
-![Screenshot of add group](img/group/ldap_group_addgroup.png)
-
-You can "Add an existing user group to project member" or "Add a group from LDAP to project member".
-
-![Screenshot of add group dialog](img/group/ldap_group_addgroup_dialog.png)
-
-Once an LDAP group is assigned a project role, log in with an LDAP/AD user in this group, the user should have the privilege of its group role.
-
-If a user is in the LDAP groups with admin privilege (ldap_group_admin_dn), the user should have the same privileges with Harbor admin.
-
-## User privileges and group privileges
-
-If a user has both user-level role and group-level role, these privileges are merged together.
+```

docs/permissions.md

@@ -29,6 +29,8 @@ The following table depicts the various user permission levels in a project.
 | Pull image                              | ✓             | ✓     | ✓         | ✓      | ✓             |
 | Push image                              |               |       | ✓         | ✓      | ✓             |
 | Scan/delete image                       |               |       |           | ✓      | ✓             |
+| Add scanners to Harbor                  |               |       |           |       |               |
+| Edit scanners in projects               |               |       |           |         | ✓             |
 | See a list of image vulnerabilities     | ✓             | ✓     | ✓         | ✓      | ✓             |
 | See image build history                 | ✓             | ✓     | ✓         | ✓      | ✓             |
 | Add/Remove labels of image              |               |       | ✓         | ✓      | ✓             |
@@ -48,7 +50,9 @@ The following table depicts the various user permission levels in a project.
 | Enable/disable webhooks                 |               |       | ✓         | ✓      | ✓             |
 | Create/delete tag retention rules       |               |       | ✓         | ✓      | ✓             |
 | Enable/disable tag retention rules      |               |       | ✓         | ✓      | ✓             |
+| Create/delete tag immutability rules       |               |       |          |       | ✓             |
+| Enable/disable tag immutability rules      |               |       |          |       | ✓             |
 | See project quotas                      | ✓             | ✓     | ✓         | ✓      | ✓             |
-| Edit project quotas                     |               |       |           |        |               |
-
+| Edit project quotas  *                   |               |       |           |        |               |
 
+* Only the Harbor system administrator can edit project quotas and add new scanners.