Moved content around

This commit is contained in:
Stuart Clements 2019-12-18 16:06:18 +01:00
parent 6e6ad9dc27
commit 99f3be281d
14 changed files with 126 additions and 87 deletions

View File

@ -23,26 +23,29 @@ This section describes how to install Harbor and perform the required initial co
This section describes how to use and maintain Harbor after deployment. These day 2 operations are performed by the Harbor Administrator.
- [Introduction](administration/_index.md)
- [Configure Authentication](administration/configure_authentication.md)
- [Manage Users](administration/managing_users/_index.md)
- [Harbor Role Based Access Control (RBAC)](administration/managing_users/configure_rbac.md)
- [Configuring Authentication](administration/configure_authentication.md)
- [Database Authentication](administration/configure_authentication/db_auth.md)
- [LDAP/Active Directory Authentication](administration/configure_authentication/ldap_auth.md)
- [OIDC Provider Authentication](administration/configure_authentication/oidc_auth.md)
- [Manage Users](administration/managing_users/managing_users.md)
- [Harbor Role Based Access Control (RBAC)](administration/managing_users/rbac.md)
- [User Permissions By Role](administration/managing_users/user_permissions_by_role.md)
- [Configure Harbor User Settings at the Command Line](administration/managing_users/configure_user_settings_cli.md)
- [Administrator Options](install_config/general_settings.md)
- [Configure Project Settings](administration/configure_project_settings/_index.md)
- [Set Project Quotas](administration/configure_project_settings/set_project_quotas.md)
- [Configuring Replication](administration/configuring_replication/_index.md)
- [Administrator Options](administration/general_settings.md)
- [Configure Project Settings](administration/configure_project_settings.md)
- [Set Project Quotas](administration/set_project_quotas.md)
- [Configuring Replication](administration/configuring_replication/configuring_replication.md)
- [Create Replication Endpoints](administration/configuring_replication/create_replication_endpoints.md)
- [Create Replication Rules](administration/configuring_replication/create_replication_rules.md)
- [Manage Replications](administration/configuring_replication/manage_replications.md)
- [Vulnerability Scanning](administration/vulnerability_scanning/_index.md)
- [Vulnerability Scanning](administration/vulnerability_scanning/vulnerability_scanning.md)
- [Connect Harbor to Additional Vulnerability Scanners](administration/vulnerability_scanning/pluggable_scanners.md)
- [Scan an Individual Image](administration/vulnerability_scanning/scan_individual_image.md)
- [Scan All Images](administration/vulnerability_scanning/scan_all_images.md)
- [Schedule Scans](administration/vulnerability_scanning/schedule_scans.md)
- [Import Vulnerability Data to an Offline Harbor instance](administration/vulnerability_scanning/import_vulnerability_data.md)
- [Configure System-Wide CVE Whitelists](administration/vulnerability_scanning/configure_system_whitelist.md)
- [Garbage Collection](administration/garbage_collection/_index.md)
- [Garbage Collection](administration/garbage_collection.md)
- [Upgrading Harbor](administration/upgrade/_index.md)
- [Upgrade Harbor and Migrate Data](administration/upgrade/upgrade_migrate_data.md)
- [Roll Back an Upgrade](administration/upgrade/roll_back_upgrade.md)

View File

@ -0,0 +1,14 @@
# Configuring Authentication
Harbor supports different modes for authenticating users and managing user accounts.
- [Database Authentication](db_auth.md)
- [LDAP/Active Directory Authentication](ldap_auth.md)
- [OIDC Provider Authentication](oidc_auth.md)
**NOTE**: The Harbor interface offers an option to configure UAA authentication. This authentication mode is not recommended and is not documented in this guide.
----------
[Back to table of contents](../../_index.md)

View File

@ -0,0 +1,27 @@
[Back to table of contents](../../_index.md)
----------
# Database Authentication
In database authentication mode, user accounts are stored in the local database. By default, only the Harbor system administrator can create user accounts to add users to Harbor. You can optionally configure Harbor to allow self-registration.
**IMPORTANT**: If you create users in the database, Harbor is locked in database mode. You cannot change to a different authentication mode after you have created local users.
1. Log in to the Harbor interface with an account that has Harbor system administrator privileges.
1. Under **Administration**, go to **Configuration** and select the **Authentication** tab.
1. Leave **Auth Mode** set to the default **Database** option.
![Database authentication](../../img/db_auth.png)
1. Optionally select the **Allow Self-Registration** check box.
![Enable self-registration](../../img/new_self_reg.png)
If you enable self registration option, users can register themselves in Harbor. Self-registration is disabled by default. If you enable self-registration, unregistered users can sign up for a Harbor account by clicking **Sign up for an account** in the Harbor log in page.
![Enable self-registration](../../img/self-registration-login.png)
----------
[Back to table of contents](../../_index.md)

View File

@ -0,0 +1,47 @@
[Back to table of contents](../../_index.md)
----------
# LDAP/Active Directory Authentication
If you select LDAP/AD authentication, users whose credentials are stored in an external LDAP or AD server can log in to Harbor directly. In this case, you do not create user accounts in Harbor.
**IMPORTANT**: You can change the authentication mode from database to LDAP only if no local users have been added to the database. If there is at least one user other than `admin` in the Harbor database, you cannot change the authentication mode.
Because the users are managed by LDAP or AD, self-registration, creating users, deleting users, changing passwords, and resetting passwords are not supported in LDAP/AD authentication mode.
If you want to manage user authentication by using LDAP groups, you must enable the `memberof` feature on the LDAP/AD server. With the `memberof` feature, the LDAP/AD user entity's `memberof` attribute is updated when the group entity's `member` attribute is updated, for example by adding or removing an LDAP/AD user from the LDAP/AD group. This feature is enabled by default in Active Directory. For information about how to enable and verify `memberof` overlay in OpenLDAP, see [this technical note]( https://technicalnotes.wordpress.com/2014/04/19/openldap-setup-with-memberof-overlay/).
1. Log in to the Harbor interface with an account that has Harbor system administrator privileges.
1. Under **Administration**, go to **Configuration** and select the **Authentication** tab.
1. Use the **Auth Mode** drop-down menu to select **LDAP**.
![LDAP authentication](../../img/select_ldap_auth.png)
1. Enter the address of your LDAP server, for example `ldaps://10.162.16.194`.
1. Enter information about your LDAP server.
- **LDAP Search DN** and **LDAP Search Password**: When a user logs in to Harbor with their LDAP username and password, Harbor uses these values to bind to the LDAP/AD server. For example, `cn=admin,dc=example.com`.
- **LDAP Base DN**: Harbor looks up the user under the LDAP Base DN entry, including the subtree. For example, `dc=example.com`.
- **LDAP Filter**: The filter to search for LDAP/AD users. For example, `objectclass=user`.
- **LDAP UID**: An attribute, for example `uid`, or `cn`, that is used to match a user with the username. If a match is found, the user's password is verified by a bind request to the LDAP/AD server.
- **LDAP Scope**: The scope to search for LDAP/AD users. Select from **Subtree**, **Base**, and **OneLevel**.
![Basic LDAP configuration](../../img/ldap_auth.png)
1. If you want to manage user authentication with LDAP groups, configure the group settings.
- **LDAP Group Base DN**: The base DN from which to lookup a group in LDAP/AD. For example, `ou=groups,dc=example,dc=com`.
- **LDAP Group Filter**: The filter to search for LDAP/AD groups. For example, `objectclass=groupOfNames`.
- **LDAP Group GID**: The attribute used to name an LDAP/AD group. For example, `cn`.
- **LDAP Group Admin DN**: All LDAP/AD users in this group DN have Harbor system administrator privileges.
- **LDAP Group Membership**: The user attribute usd to identify a user as a member of a group. By default this is `memberof`.
- **LDAP Scope**: The scope to search for LDAP/AD groups. Select from **Subtree**, **Base**, and **OneLevel**.
![LDAP group configuration](../../img/ldap_groups.png)
1. Uncheck **LDAP Verify Cert** if the LDAP/AD server uses a self-signed or untrusted certificate.
![LDAP certificate verification](../../img/ldap_cert_test.png)
1. Click **Test LDAP Server** to make sure that your configuration is correct.
1. Click **Save** to complete the configuration.
----------
[Back to table of contents](../../_index.md)

View File

@ -1,80 +1,8 @@
[Back to table of contents](../_index.md)
[Back to table of contents](../../_index.md)
----------
# Authentication Modes and User Accounts
Harbor supports different modes for authenticating users and managing user accounts.
- [Database Authentication](#db_auth)
- [LDAP/Active Directory Authentication](#ldap_auth)
- [OIDC Provider Authentication](#oidc_auth)
**NOTE**: The Harbor interface offers an option to configure UAA authentication. This authentication mode is not recommended and is not documented in this guide.
<a id="db_auth"></a>
## Database Authentication
In database authentication mode, user accounts are stored in the local database. By default, only the Harbor system administrator can create user accounts to add users to Harbor. You can optionally configure Harbor to allow self-registration.
**IMPORTANT**: If you create users in the database, Harbor is locked in database mode. You cannot change to a different authentication mode after you have created local users.
1. Log in to the Harbor interface with an account that has Harbor system administrator privileges.
1. Under **Administration**, go to **Configuration** and select the **Authentication** tab.
1. Leave **Auth Mode** set to the default **Database** option.
![Database authentication](../../img/db_auth.png)
1. Optionally select the **Allow Self-Registration** check box.
![Enable self-registration](../../img/new_self_reg.png)
If you enable self registration option, users can register themselves in Harbor. Self-registration is disabled by default. If you enable self-registration, unregistered users can sign up for a Harbor account by clicking **Sign up for an account** in the Harbor log in page.
![Enable self-registration](../../img/self-registration-login.png)
<a id="ldap_auth"></a>
## LDAP/Active Directory Authentication
If you select LDAP/AD authentication, users whose credentials are stored in an external LDAP or AD server can log in to Harbor directly. In this case, you do not create user accounts in Harbor.
**IMPORTANT**: You can change the authentication mode from database to LDAP only if no local users have been added to the database. If there is at least one user other than `admin` in the Harbor database, you cannot change the authentication mode.
Because the users are managed by LDAP or AD, self-registration, creating users, deleting users, changing passwords, and resetting passwords are not supported in LDAP/AD authentication mode.
If you want to manage user authentication by using LDAP groups, you must enable the `memberof` feature on the LDAP/AD server. With the `memberof` feature, the LDAP/AD user entity's `memberof` attribute is updated when the group entity's `member` attribute is updated, for example by adding or removing an LDAP/AD user from the LDAP/AD group. This feature is enabled by default in Active Directory. For information about how to enable and verify `memberof` overlay in OpenLDAP, see [this technical note]( https://technicalnotes.wordpress.com/2014/04/19/openldap-setup-with-memberof-overlay/).
1. Log in to the Harbor interface with an account that has Harbor system administrator privileges.
1. Under **Administration**, go to **Configuration** and select the **Authentication** tab.
1. Use the **Auth Mode** drop-down menu to select **LDAP**.
![LDAP authentication](../../img/select_ldap_auth.png)
1. Enter the address of your LDAP server, for example `ldaps://10.162.16.194`.
1. Enter information about your LDAP server.
- **LDAP Search DN** and **LDAP Search Password**: When a user logs in to Harbor with their LDAP username and password, Harbor uses these values to bind to the LDAP/AD server. For example, `cn=admin,dc=example.com`.
- **LDAP Base DN**: Harbor looks up the user under the LDAP Base DN entry, including the subtree. For example, `dc=example.com`.
- **LDAP Filter**: The filter to search for LDAP/AD users. For example, `objectclass=user`.
- **LDAP UID**: An attribute, for example `uid`, or `cn`, that is used to match a user with the username. If a match is found, the user's password is verified by a bind request to the LDAP/AD server.
- **LDAP Scope**: The scope to search for LDAP/AD users. Select from **Subtree**, **Base**, and **OneLevel**.
![Basic LDAP configuration](../../img/ldap_auth.png)
1. If you want to manage user authentication with LDAP groups, configure the group settings.
- **LDAP Group Base DN**: The base DN from which to lookup a group in LDAP/AD. For example, `ou=groups,dc=example,dc=com`.
- **LDAP Group Filter**: The filter to search for LDAP/AD groups. For example, `objectclass=groupOfNames`.
- **LDAP Group GID**: The attribute used to name an LDAP/AD group. For example, `cn`.
- **LDAP Group Admin DN**: All LDAP/AD users in this group DN have Harbor system administrator privileges.
- **LDAP Group Membership**: The user attribute usd to identify a user as a member of a group. By default this is `memberof`.
- **LDAP Scope**: The scope to search for LDAP/AD groups. Select from **Subtree**, **Base**, and **OneLevel**.
![LDAP group configuration](../../img/ldap_groups.png)
1. Uncheck **LDAP Verify Cert** if the LDAP/AD server uses a self-signed or untrusted certificate.
![LDAP certificate verification](../../img/ldap_cert_test.png)
1. Click **Test LDAP Server** to make sure that your configuration is correct.
1. Click **Save** to complete the configuration.
<a id="oidc_auth"></a>
## OIDC Provider Authentication
# OIDC Provider Authentication
If you select OpenID Connect (OIDC) authentication, users log in to the Harbor interface via an OIDC single sign-on (SSO) provider, such as Okta, KeyCloak, or dex. In this case, you do not create user accounts in Harbor.
@ -167,4 +95,4 @@ sh docker login -u testuser -p <i>cli_secret</i> jt-test.local.goharbor.io
----------
[Back to table of contents](../_index.md)
[Back to table of contents](../../_index.md)

View File

@ -4,3 +4,7 @@ Use the **Project Creation** drop-down menu to set which users can create projec
![browse project](../../img/new_proj_create.png)
[Set Project Quotas](set_project_quotas.md)
----------
[Back to table of contents](../_index.md)

View File

@ -1,3 +1,7 @@
[Back to table of contents](../_index.md)
----------
# Garbage Collection
When you delete images from Harbor, space is not automatically freed up. You must run garbage collection to free up space by removing blobs that are no longer referenced by a manifest from the file system.
@ -29,3 +33,7 @@ To avoid triggering the garbage collection process too frequently, the availabil
1. Select the **History** tab to view records of the 10 most recent garbage collection runs.
![Garbage collection history](../../img/gc_history.png)
1. Click on the **Logs** link to view the related logs.
----------
[Back to table of contents](../_index.md)

View File

@ -1,3 +1,7 @@
[Back to table of contents](../_index.md)
----------
# Set Project Quotas
To exercise control over resource use, as a Harbor system administrator you can set quotas on projects. You can limit the number of tags that a project can contain and limit the amount of storage capacity that a project can consume. You can set default quotas that apply to all projects globally.
@ -41,3 +45,7 @@ When setting project quotas, it is useful to know how Harbor calculates tag numb
- During garbage collection, Harbor frees the storage used by untagged blobs in the project.
- If the tag count reaches the limit, image blobs can be pushed into a project and storage usage is updated accordingly. You can consider these blobs to be untagged blobs. They can be removed by garbage collection, and the storage that they consume is returned after garbage colletion.
- Helm chart size is not calculated. Only tag counts are calculated.
-
----------
[Back to table of contents](../_index.md)

View File

@ -178,7 +178,7 @@ After setting up HTTPS for Harbor, you can verify the HTTPS connection by perfor
## What to Do Next ##
- If the verification succeeds, continue to set up Harbor by following the instructions in [Post-Installation Configuration](../configuration/_index.md) and [Initial Configuration in the Harbor UI](../configuration/initial_config_ui.md), or continue using Harbor.
- If the verification succeeds, see [Harbor Administration](../administration/_index.md) for information about using Harbor.
- If installation fails, see [Troubleshooting Harbor Installation
](troubleshoot_installation.md).

View File

@ -104,7 +104,7 @@ After you update `daemon.json`, you must restart both Docker Engine and Harbor.
## What to Do Next ##
- If the installation succeeds, continue to set up Harbor by following the instructions in [Post-Installation Configuration](../configuration/_index.md) and [Initial Configuration in the Harbor UI](../configuration/initial_config_ui.md).
- If the installation succeeds, see [Harbor Administration](../administration/_index.md) for information about using Harbor.
- If you deployed Harbor with HTTP and you want to secure the connections to Harbor, see [Configure HTTPS Access to Harbor](configure_https.md).
- If installation fails, see [Troubleshooting Harbor Installation
](troubleshoot_installation.md).