diff --git a/docs/harbor-doc-reorg/_index.md b/docs/harbor-doc-reorg/_index.md index 161f06f57..243c88c74 100644 --- a/docs/harbor-doc-reorg/_index.md +++ b/docs/harbor-doc-reorg/_index.md @@ -28,8 +28,13 @@ This section describes how to use and maintain Harbor after deployment. These da - [Managing Users](administration/managing_users/_index.md) - [Harbor Role Based Access Control (RBAC)](administration/managing_users/configure_rbac.md) + - [User Permissions By Role](administration/managing_users/user_permissions_by_role.md) - [Configure Harbor User Settings at the Command Line](administration/managing_users/configure_user_settings_cli.md) - [Manage Roles by LDAP Group](administration/managing_users/manage_role_by_ldap_group.md) +- [Configuring Replication](administration/configuring_replication/_index.md) + - [Create Replication Endpoints](administration/configuring_replication/create_replication_endpoints.md) + - [Create Replication Rules](administration/configuring_replication/create_replication_rules.md) + - [Manage Replications](administration/configuring_replication/manage_replications.md) - [Upgrading Harbor](administration/upgrade/_index.md) - [Upgrade Harbor and Migrate Data](administration/upgrade/upgrade_migrate_data.md) - [Roll Back an Upgrade](administration/upgrade/roll_back_upgrade.md) diff --git a/docs/harbor-doc-reorg/administration/_index.md b/docs/harbor-doc-reorg/administration/_index.md index e10953349..97bcfaf5c 100644 --- a/docs/harbor-doc-reorg/administration/_index.md +++ b/docs/harbor-doc-reorg/administration/_index.md @@ -1,4 +1,5 @@ # Harbor Administration - [Managing Users](managing_users/_index.md) +- [Configuring Replication](configuring_replication/_index.md) - [Upgrading Harbor](upgrade/_index.md) \ No newline at end of file diff --git a/docs/harbor-doc-reorg/administration/administrator_options.md b/docs/harbor-doc-reorg/administration/administrator_options.md index 6cdb659ee..abfba1078 100644 --- a/docs/harbor-doc-reorg/administration/administrator_options.md +++ b/docs/harbor-doc-reorg/administration/administrator_options.md @@ -1,8 +1,5 @@ # Administrator options -### Managing user -Administrator can add "Administrator" role to one or more ordinary users by checking checkboxes and clicking `SET AS ADMINISTRATOR`. To delete users, checked checkboxes and select `DELETE`. Deleting user is only supported under database authentication mode. -![browse project](../img/new_set_admin_remove_user.png) ### Managing registry You can list, add, edit and delete registries under `Administration->Registries`. Only registries which are not referenced by any rules can be deleted. @@ -10,9 +7,7 @@ You can list, add, edit and delete registries under `Administration->Registries` ![browse project](../img/manage_registry.png) ### Managing replication -You can list, add, edit and delete rules under `Administration->Replications`. -![browse project](../img/manage_replication.png) ### Managing authentication You can change authentication mode between **Database**(default) and **LDAP** before any user is added, when there is at least one user(besides admin) in Harbor, you cannot change the authentication mode. diff --git a/docs/harbor-doc-reorg/administration/configuring_replication/_index.md b/docs/harbor-doc-reorg/administration/configuring_replication/_index.md new file mode 100644 index 000000000..6cccd2091 --- /dev/null +++ b/docs/harbor-doc-reorg/administration/configuring_replication/_index.md @@ -0,0 +1,13 @@ +# Configuring Replication + +Replication allows users to replicate resources (images/charts) between Harbor and non-Harbor registries in both pull or push mode. + +Once the system administrator has set a rule, all resources that match the defined [filter](#resource-filter) patterns will be replicated to the destination registry when the [triggering condition](#trigger-mode) is matched. Each resource will start a task to run. If the namespace does not exist on the destination registry, a new namespace will be created automatically. If it already exists and the user configured in the policy has no write privilege to it, the process will fail. The member information will not be replicated. + +There may be a bit of delay during replication based on the situation of the network. If a replication task fails, it will be re-scheduled a few minutes later and retried times. + +**Note:** Due to API changes, replication between different versions of Harbor is not supported. + +- [Create Replication Endpoints](create_replication_endpoints.md) +- [Create Replication Rules](create_replication_rules.md) +- [Manage Replications](manage_replications.md) diff --git a/docs/harbor-doc-reorg/administration/configuring_replication/create_replication_endpoints.md b/docs/harbor-doc-reorg/administration/configuring_replication/create_replication_endpoints.md new file mode 100644 index 000000000..dd4622cfe --- /dev/null +++ b/docs/harbor-doc-reorg/administration/configuring_replication/create_replication_endpoints.md @@ -0,0 +1,38 @@ +# Create Replication Endpoints + +To replicate image repositories from one instance of Harbor to another Harbor or non-Harbor registry, you first create replication endpoints. + +1. Go to **Registries** and click the **+ New Endpoint** button. + + ![New replication endpoint](../img/replication-endpoint1.png) +1. For **Provider**, use the drop-down menu to select the type of registry to set up as a replication endpoint. + + The endpoint can be another Harbor instance, or a non-Harbor registry. Currently, the following non-Harbor registries are supported: + + - Docker Hub + - Docker registry + - AWS Elastic Container Registry + - Azure Container Registry + - Ali Cloud Container Registry + - Google Container Registry + - Huawei SWR + - Helm Hub + + ![Replication providers](../img/replication-endpoint2.png) + +1. Enter a suitable name and description for the new replication endpoint. +1. Enter the full URL of the registry to set up as a replication endpoint. + + For example, to replicate to another Harbor instance, enter https://harbor_instance_address:443. The registry must exist and be running before you create the endpoint. +1. Enter the Access ID and Access Secret for the endpoint registry instance. + + Use an account that has the appropriate privileges on that registry, or an account that has write permission on the corresponding project in a Harbor registry. + + **NOTES**: + - AWS ECR adapters should use access keys, not a username and password. The access key should have sufficient permissions, such as storage permission. + - Google GCR adapters should use the entire JSON key generated in the service account. The namespace should start with the project ID. +1. Optionally, select the **Verify Remote Cert** check box. + + Deselect the check box if the remote registry uses a self-signed or untrusted certificate. +1. Click **Test Connection**. +1. When you have successfully tested the connection, click **OK**. \ No newline at end of file diff --git a/docs/harbor-doc-reorg/administration/configuring_replication/create_replication_rules.md b/docs/harbor-doc-reorg/administration/configuring_replication/create_replication_rules.md new file mode 100644 index 000000000..3104ac46a --- /dev/null +++ b/docs/harbor-doc-reorg/administration/configuring_replication/create_replication_rules.md @@ -0,0 +1,31 @@ +# Create Replication Rules + +Login as a system administrator user, click `NEW REPLICATION RULE` under `Administration->Replications` and fill in the necessary fields. You can choose different replication modes, [resource filters](#resource-filter) and [trigger modes](#trigger-mode) according to the different requirements. If there is no endpoint available in the list, follow the instructions in the [Creating replication endpoints](#creating-replication-endpoints) to create one. Click `SAVE` to create a replication rule. + +![browse project](../img/create_rule.png) + +#### Resource filter +Three resource filters are supported: +* **Name**: Filter resources according to the name. +* **Tag**: Filter resources according to the tag. +* **Resource**: Filter images according to the resource type. + +The terms supported in the pattern used by name filter and tag filter are as follows: +* **\***: Matches any sequence of non-separator characters `/`. +* **\*\***: Matches any sequence of characters, including path separators `/`. +* **?**: Matches any single non-separator character `/`. +* **{alt1,...}**: Matches a sequence of characters if one of the comma-separated alternatives matches. + +**Note:** `library` must be added if you want to replicate the official images of Docker Hub. For example, `library/hello-world` matches the official hello-world images. + +Pattern | String(Match or not) +---------- | ------- +`library/*` | `library/hello-world`(Y)
`library/my/hello-world`(N) +`library/**` | `library/hello-world`(Y)
`library/my/hello-world`(Y) +`{library,goharbor}/**` | `library/hello-world`(Y)
`goharbor/harbor-core`(Y)
`google/hello-world`(N) +`1.?` | `1.0`(Y)
`1.01`(N) + +#### Trigger mode +* **Manual**: Replicate the resources manually when needed. **Note**: The deletion operations are not replicated. +* **Scheduled**: Replicate the resources periodically. **Note**: The deletion operations are not replicated. +* **Event Based**: When a new resource is pushed to the project, it is replicated to the remote registry immediately. Same to the deletion operation if the `Delete remote resources when locally deleted` checkbox is selected. diff --git a/docs/harbor-doc-reorg/administration/configuring_replication/manage_replications.md b/docs/harbor-doc-reorg/administration/configuring_replication/manage_replications.md new file mode 100644 index 000000000..4724b289d --- /dev/null +++ b/docs/harbor-doc-reorg/administration/configuring_replication/manage_replications.md @@ -0,0 +1,26 @@ +# Manage Replications + +You can list, add, edit and delete rules under `Administration->Replications`. + +![browse project](../img/manage_replication.png) + +### Starting a replication manually +Select a replication rule and click `REPLICATE`, the resources which the rule is applied to will be replicated from the source registry to the destination immediately. + +![browse project](../img/start_replicate.png) + +### Listing and stopping replication executions +Click a rule, the execution records which belong to this rule will be listed. Each record represents the summary of one execution of the rule. Click `STOP` to stop the executions which are in progress. + +![browse project](../img/list_stop_executions.png) + +### Listing tasks +Click the ID of one execution, you can get the execution summary and the task list. Click the log icon can get the detail information for the replication progress. +**Note**: The count of `IN PROGRESS` status in the summary includes both `Pending` and `In Progress` tasks. + +![browse project](../img/list_tasks.png) + +### Deleting the replication rule +Select the replication rule and click `DELETE` to delete it. Only rules which have no in progress executions can be deleted. + +![browse project](../img/delete_rule.png) \ No newline at end of file diff --git a/docs/harbor-doc-reorg/administration/managing_users/_index.md b/docs/harbor-doc-reorg/administration/managing_users/_index.md index 47c6fff68..acd0bce9e 100644 --- a/docs/harbor-doc-reorg/administration/managing_users/_index.md +++ b/docs/harbor-doc-reorg/administration/managing_users/_index.md @@ -1,5 +1,6 @@ # Managing Users - [Harbor Role Based Access Control (RBAC)](configure_rbac.md) +- [User Permissions By Role](user_permissions_by_role.md) - [Configure Harbor User Settings at the Command Line](configure_user_settings_cli.md) - [Manage Roles by LDAP Group](manage_role_by_ldap_group.md) diff --git a/docs/harbor-doc-reorg/administration/managing_users/configure_rbac.md b/docs/harbor-doc-reorg/administration/managing_users/configure_rbac.md index 8ecfc8c75..825ad05ad 100644 --- a/docs/harbor-doc-reorg/administration/managing_users/configure_rbac.md +++ b/docs/harbor-doc-reorg/administration/managing_users/configure_rbac.md @@ -14,7 +14,12 @@ Besides the above three roles, there are two system-level roles: * **SysAdmin**: "SysAdmin" has the most privileges. In addition to the privileges mentioned above, "SysAdmin" can also list all projects, set an ordinary user as administrator, delete users and set vulnerability scan policy for all images. The public project "library" is also owned by the administrator. * **Anonymous**: When a user is not logged in, the user is considered as an "Anonymous" user. An anonymous user has no access to private projects and has read-only access to public projects. -See detailed permissions matrix listed here: https://github.com/goharbor/harbor/blob/master/docs/permissions.md +For full details of the permissions of the different roles, see [User Permissions By Role](user_permissions_by_role.md). + +## Managing user +Administrator can add "Administrator" role to one or more ordinary users by checking checkboxes and clicking `SET AS ADMINISTRATOR`. To delete users, checked checkboxes and select `DELETE`. Deleting user is only supported under database authentication mode. + +![browse project](../img/new_set_admin_remove_user.png) ## User account Harbor supports different authentication modes: diff --git a/docs/harbor-doc-reorg/working_with_projects/permissions.md b/docs/harbor-doc-reorg/administration/managing_users/user_permissions_by_role.md similarity index 99% rename from docs/harbor-doc-reorg/working_with_projects/permissions.md rename to docs/harbor-doc-reorg/administration/managing_users/user_permissions_by_role.md index 2543ef3c3..d183c3adb 100644 --- a/docs/harbor-doc-reorg/working_with_projects/permissions.md +++ b/docs/harbor-doc-reorg/administration/managing_users/user_permissions_by_role.md @@ -1,4 +1,4 @@ -# Permissions +# User Permissions By Role Users have different abilities depending on the role they in a project. diff --git a/docs/harbor-doc-reorg/working_with_projects/replicating_resources.md b/docs/harbor-doc-reorg/working_with_projects/replicating_resources.md deleted file mode 100644 index 7c5da0283..000000000 --- a/docs/harbor-doc-reorg/working_with_projects/replicating_resources.md +++ /dev/null @@ -1,99 +0,0 @@ -# Replicating Resources -Replication allows users to replicate resources (images/charts) between Harbor and non-Harbor registries in both pull or push mode. - -Once the system administrator has set a rule, all resources that match the defined [filter](#resource-filter) patterns will be replicated to the destination registry when the [triggering condition](#trigger-mode) is matched. Each resource will start a task to run. If the namespace does not exist on the destination registry, a new namespace will be created automatically. If it already exists and the user configured in the policy has no write privilege to it, the process will fail. The member information will not be replicated. - -There may be a bit of delay during replication based on the situation of the network. If a replication task fails, it will be re-scheduled a few minutes later and retried times. - -**Note:** Due to API changes, replication between different versions of Harbor is not supported. - -### Creating replication endpoints - -To replicate image repositories from one instance of Harbor to another Harbor or non-Harbor registry, you first create replication endpoints. - -1. Go to **Registries** and click the **+ New Endpoint** button. - - ![New replication endpoint](../img/replication-endpoint1.png) -1. For **Provider**, use the drop-down menu to select the type of registry to set up as a replication endpoint. - - The endpoint can be another Harbor instance, or a non-Harbor registry. Currently, the following non-Harbor registries are supported: - - - Docker Hub - - Docker registry - - AWS Elastic Container Registry - - Azure Container Registry - - Ali Cloud Container Registry - - Google Container Registry - - Huawei SWR - - Helm Hub - - ![Replication providers](../img/replication-endpoint2.png) - -1. Enter a suitable name and description for the new replication endpoint. -1. Enter the full URL of the registry to set up as a replication endpoint. - - For example, to replicate to another Harbor instance, enter https://harbor_instance_address:443. The registry must exist and be running before you create the endpoint. -1. Enter the Access ID and Access Secret for the endpoint registry instance. - - Use an account that has the appropriate privileges on that registry, or an account that has write permission on the corresponding project in a Harbor registry. - - **NOTES**: - - AWS ECR adapters should use access keys, not a username and password. The access key should have sufficient permissions, such as storage permission. - - Google GCR adapters should use the entire JSON key generated in the service account. The namespace should start with the project ID. -1. Optionally, select the **Verify Remote Cert** check box. - - Deselect the check box if the remote registry uses a self-signed or untrusted certificate. -1. Click **Test Connection**. -1. When you have successfully tested the connection, click **OK**. - -### Creating a replication rule -Login as a system administrator user, click `NEW REPLICATION RULE` under `Administration->Replications` and fill in the necessary fields. You can choose different replication modes, [resource filters](#resource-filter) and [trigger modes](#trigger-mode) according to the different requirements. If there is no endpoint available in the list, follow the instructions in the [Creating replication endpoints](#creating-replication-endpoints) to create one. Click `SAVE` to create a replication rule. - -![browse project](../img/create_rule.png) - -#### Resource filter -Three resource filters are supported: -* **Name**: Filter resources according to the name. -* **Tag**: Filter resources according to the tag. -* **Resource**: Filter images according to the resource type. - -The terms supported in the pattern used by name filter and tag filter are as follows: -* **\***: Matches any sequence of non-separator characters `/`. -* **\*\***: Matches any sequence of characters, including path separators `/`. -* **?**: Matches any single non-separator character `/`. -* **{alt1,...}**: Matches a sequence of characters if one of the comma-separated alternatives matches. - -**Note:** `library` must be added if you want to replicate the official images of Docker Hub. For example, `library/hello-world` matches the official hello-world images. - -Pattern | String(Match or not) ----------- | ------- -`library/*` | `library/hello-world`(Y)
`library/my/hello-world`(N) -`library/**` | `library/hello-world`(Y)
`library/my/hello-world`(Y) -`{library,goharbor}/**` | `library/hello-world`(Y)
`goharbor/harbor-core`(Y)
`google/hello-world`(N) -`1.?` | `1.0`(Y)
`1.01`(N) - -#### Trigger mode -* **Manual**: Replicate the resources manually when needed. **Note**: The deletion operations are not replicated. -* **Scheduled**: Replicate the resources periodically. **Note**: The deletion operations are not replicated. -* **Event Based**: When a new resource is pushed to the project, it is replicated to the remote registry immediately. Same to the deletion operation if the `Delete remote resources when locally deleted` checkbox is selected. - -### Starting a replication manually -Select a replication rule and click `REPLICATE`, the resources which the rule is applied to will be replicated from the source registry to the destination immediately. - -![browse project](../img/start_replicate.png) - -### Listing and stopping replication executions -Click a rule, the execution records which belong to this rule will be listed. Each record represents the summary of one execution of the rule. Click `STOP` to stop the executions which are in progress. - -![browse project](../img/list_stop_executions.png) - -### Listing tasks -Click the ID of one execution, you can get the execution summary and the task list. Click the log icon can get the detail information for the replication progress. -**Note**: The count of `IN PROGRESS` status in the summary includes both `Pending` and `In Progress` tasks. - -![browse project](../img/list_tasks.png) - -### Deleting the replication rule -Select the replication rule and click `DELETE` to delete it. Only rules which have no in progress executions can be deleted. - -![browse project](../img/delete_rule.png)