merge with master

2024-11-26 20:26:13 +01:00 · 2016-08-10 15:34:23 +08:00 · 2016-08-10 15:34:23 +08:00 · c683be1c64
commit c683be1c64
parent 954c38a225 6fe9167e4b
13 changed files with 199 additions and 16 deletions
--- a/Deploy/config/nginx/nginx.https.conf
+++ b/Deploy/config/nginx/nginx.https.conf
@ -89,6 +89,6 @@ http {
    server {
      listen 80;
      server_name harbordomain.com;
-      rewrite ^/(.*) https://$server_name/$1 permanent;
+      rewrite ^/(.*) https://$server_name:443/$1 permanent;
  } 
 }
--- a/Deploy/harbor.cfg
+++ b/Deploy/harbor.cfg
@ -48,6 +48,9 @@ max_job_workers = 3
 #**NOTE** if this changes, previously encrypted password will not be decrypted!
 secret_key = secretkey1234567

+#The expiration of token used by token service, default is 30 minutes
+token_expiration = 30
+
 #Determine whether the job service should verify the ssl cert when it connects to a remote registry.
 #Set this flag to off when the remote registry uses a self-signed or untrusted certificate.
 verify_remote_cert = on
--- a/Deploy/prepare
+++ b/Deploy/prepare
@ -54,6 +54,7 @@ crt_organizationalunit = rcp.get("configuration", "crt_organizationalunit")
 crt_commonname = rcp.get("configuration", "crt_commonname")
 crt_email = rcp.get("configuration", "crt_email")
 max_job_workers = rcp.get("configuration", "max_job_workers")
+token_expiration = rcp.get("configuration", "token_expiration")
 verify_remote_cert = rcp.get("configuration", "verify_remote_cert")
 secret_key = rcp.get("configuration", "secret_key")
 ########
@ -109,7 +110,8 @@ render(os.path.join(templates_dir, "ui", "env"),
 	use_compressed_js=use_compressed_js,
        ui_secret=ui_secret,
        secret_key=secret_key,
-	verify_remote_cert=verify_remote_cert)
+	verify_remote_cert=verify_remote_cert,
+	token_expiration=token_expiration)

 render(os.path.join(templates_dir, "ui", "app.conf"),
        ui_conf,
--- a/Deploy/templates/ui/env
+++ b/Deploy/templates/ui/env
@ -20,3 +20,4 @@ GODEBUG=netdns=cgo
 EXT_ENDPOINT=$ui_url
 TOKEN_URL=http://ui
 VERIFY_REMOTE_CERT=$verify_remote_cert
+TOKEN_EXPIRATION=$token_expiration
--- a/README.md
+++ b/README.md
@ -66,6 +66,9 @@ If you are upgrading Harbor from an older version with existing data, you need t
 ### Run
 For information on how to use Harbor, please take a look at [User Guide](docs/user_guide.md).

+### Community
+Get connected with Project Harbor's community and sign up with VMware {code} [https://code.vmware.com/join/](https://code.vmware.com/join/) to get invited to VMware {code} Slack group, Channel: #harbor.
+
 ### Contribution
 We welcome contributions from the community. If you wish to contribute code and you have not signed our contributor license agreement (CLA), our bot will update the issue when you open a pull request. For any questions about the CLA process, please refer to our [FAQ](https://cla.vmware.com/faq).

--- a/api/user.go
+++ b/api/user.go
@ -239,6 +239,11 @@ func (ua *UserAPI) Delete() {
 		ua.RenderError(http.StatusForbidden, "User does not have admin role")
 		return
 	}
+
+	if ua.currentUserID == ua.userID {
+		ua.CustomAbort(http.StatusForbidden, "can not delete yourself")
+	}
+
 	var err error
 	err = dao.DeleteUser(ua.userID)
 	if err != nil {
--- a/contrib/prebuild-install/README.md
+++ b/contrib/prebuild-install/README.md
@ -1 +1,23 @@
-docker-compose.sh is used to configure docker-compose.yml to pull images from platform like docker hub, daocloud.io and others. If you don't want to waste time on building images, you can execute this script to pull images from platform you prefer. Currently, we only support daocloud.io and docker hub, the default is docker hub. 
+## Make use of pre-built images of Harbor
+
+Community members have helped building Harbor's docker images. If you want to save time from building Harbor from source, please follow the below instructions to quickly pull Harbor's pre-built images for installation. 
+
+### Steps
+
+Run the command `update_compose.sh` :
+```
+$ ./update_compose.sh 
+ 
+Please enter the registry service you want to pull the pre-built images from.
+Enter 1 for Docker Hub.
+Enter 2 for Daocloud.io (recommended for Chinese users).
+or enter other registry URL such as https://my_registry/harbor/ .
+The default is 1 (Docker Hub): 
+```
+
+Enter **1** to pull images from Docker Hub,  
+Enter **2** to pull image from Daocloud.io, recommended for Chinese users.  
+or Enter other registry URL like `https://my_registry/harbor/` . Do not forget the "/" and the end.
+
+This command backs up and updates the file `Deploy/docker-compose.yml` . Next, just follow the [Harbor Installation Guide](../../docs/installation_guide.md) to install Harbor. 
+
--- a/contrib/prebuild-install/update_compose.sh
+++ b/contrib/prebuild-install/update_compose.sh
@ -1,5 +1,12 @@
 #/bin/bash
-read -p "Please input the platform name you want to pull images, for docker hub, enter 1; for daocloud.io, enter 2, otherwise enter the name of the platform, the default is 1:" choice 
+
+echo " "
+echo "Please enter the registry service you want to pull the pre-built images from."
+echo "Enter 1 for Docker Hub."
+echo "Enter 2 for Daocloud.io (recommended for Chinese users)."
+echo "or enter other registry URL such as https://my_registry/harbor/ ."
+read -p "The default is 1 (Docker Hub): " choice
+
 cd ../../Deploy
 template_file="docker-compose.yml.template"
 yml_file='docker-compose.yml'
@ -29,4 +36,6 @@ sed -i -- '/build: .\/log\//c\    image: '$platform$log$version'' $yml_file
 sed -i -- '/build: .\/db\//c\    image: '$platform$db$version'' $yml_file
 sed -i -- '/ui:/{n;N;N;d}' $yml_file && sed -i -- '/ui:/a\\    image: '$platform$ui$version'' $yml_file
 sed -i -- '/jobservice:/{n;N;N;d}' $yml_file && sed -i -- '/jobservice:/a\\    image: '$platform$job_service$version'' $yml_file
-echo "succeed! "
+echo "Succeeded! "
+echo "Please follow the normal installation process to install Harbor."
+
--- a/docs/configure_https.md
+++ b/docs/configure_https.md
@ -14,7 +14,10 @@ In a test or development environment, you may choose to use a self-signed certif
    -newkey rsa:4096 -nodes -sha256 -keyout ca.key \
    -x509 -days 365 -out ca.crt
 ```
-2) Generate a Certificate Signing Request, be sure to use **reg.yourdomain.com** as the CN (Common Name):
+2) Generate a Certificate Signing Request:
+
+If you use FQDN like **reg.yourdomain.com** to connect your registry host, then you must use **reg.yourdomain.com** as CN (Common Name). 
+Otherwise, if you use IP address to connect your registry host, CN can be anything like your name and so on:
 ```
  openssl req \
    -newkey rsa:4096 -nodes -sha256 -keyout yourdomain.com.key \
@ -22,7 +25,7 @@ In a test or development environment, you may choose to use a self-signed certif
 ```
 3) Generate the certificate of your registry host:

-You need to configure openssl first. On Ubuntu, the config file locates at **/etc/ssl/openssl.cnf**. Refer to openssl document for more information. The default CA directory of openssl is called demoCA. Let's create necessary directories and files:
+On Ubuntu, the config file of openssl locates at **/etc/ssl/openssl.cnf**. Refer to openssl document for more information. The default CA directory of openssl is called demoCA. Let's create necessary directories and files:
 ```
  mkdir demoCA
  cd demoCA
@ -30,11 +33,17 @@ You need to configure openssl first. On Ubuntu, the config file locates at **/et
  echo '01' > serial
  cd ..
 ```
-Then run this command to generate the certificate of your registry host:
+If you're using FQDN like **reg.yourdomain.com** to connect your registry host, then run this command to generate the certificate of your registry host:
 ```
  openssl ca -in yourdomain.com.csr -out yourdomain.com.crt -cert ca.crt -keyfile ca.key -outdir .
 ```
+If you're using **IP** to connect your registry host, you may instead run the command below:
+```
+  
+  echo subjectAltName = IP:your registry host IP > extfile.cnf

+  openssl ca -in yourdomain.com.csr -out yourdomain.com.crt -cert ca.crt -keyfile ca.key -extfile extfile.cnf -outdir .
+```
 ##Configuration of Nginx
 After obtaining the **yourdomain.com.crt** and **yourdomain.com.key** files, change the directory to Deploy/config/nginx in Harbor project.
 ```
@ -54,7 +63,7 @@ Copy the template **nginx.https.conf** as the new configuration file:
 ```
  cp nginx.https.conf nginx.conf
 ```
-Edit the file nginx.conf and replace two occurrences of **harbordomain.com** to your own host name, such as reg.yourdomain.com .
+Edit the file nginx.conf and replace two occurrences of **harbordomain.com** to your own host name, such as reg.yourdomain.com . If you use a customized port rather than the default port 443, replace the port "443" in the line "rewrite ^/(.*) https://$server_name:443/$1 permanent;" as well. Please refer to the [installation guide](https://github.com/vmware/harbor/blob/master/docs/installation_guide.md) for other required steps of port customization.  
 ```
  server {
    listen 443 ssl;
@ -65,7 +74,7 @@ Edit the file nginx.conf and replace two occurrences of **harbordomain.com** to
  server {
    listen 80;
    server_name harbordomain.com;
-    rewrite ^/(.*) https://$server_name$1 permanent;
+    rewrite ^/(.*) https://$server_name:443/$1 permanent;
 ```
 Then look for the SSL section to make sure the files of your certificates match the names in the config file. Do not change the path of the files.
 ```
@ -99,14 +108,22 @@ Finally, restart Harbor:
 ```
  docker-compose up -d
 ```
-After setting up HTTPS for Harbor, you can verify it by the follow steps:
+After setting up HTTPS for Harbor, you can verify it by the following steps:

 1. Open a browser and enter the address: https://reg.yourdomain.com . It should display the user interface of Harbor.

-2. On a machine with Docker daemon, make sure the option "-insecure-registry" does not present, run any docker command to verify the setup, e.g. 
+2. On a machine with Docker daemon, make sure the option "-insecure-registry" does not present, and you must copy ca.crt generated in the above step to /etc/docker/certs.d/yourdomain.com(or your registry host IP), if the directory does not exist, create it.
+If you mapped nginx port 443 to another port, then you should instead create the directory /etc/docker/certs.d/yourdomain.com:port(or your registry host IP:port). Then run any docker command to verify the setup, e.g. 
+
 ```
  docker login reg.yourdomain.com
 ```
+If you've mapped nginx 443 port to another, you need to add the port to login, like below:
+
+```
+  docker login reg.yourdomain.com:port
+```
+
 ##Troubleshooting
 1. You may get an intermediate certificate from a certificate issuer. In this case, you should merge the intermediate certificate with your own certificate to create a certificate bundle. You can achieve this by the below command:  
    ```
@ -124,4 +141,4 @@ After setting up HTTPS for Harbor, you can verify it by the follow steps:
    cp yourdomain.com.crt /etc/pki/ca-trust/source/anchors/reg.yourdomain.com.crt
    update-ca-trust
    ```
-    
+    
--- a/docs/installation_guide.md
+++ b/docs/installation_guide.md
@ -277,6 +277,102 @@ Please check the [Docker Compose command-line reference](https://docs.docker.com
 By default, registry data is persisted in the target host's `/data/` directory.  This data remains unchanged even when Harbor's containers are removed and/or recreated.
 In addition, Harbor uses `rsyslog` to collect the logs of each container. By default, these log files are stored in the directory `/var/log/harbor/` on the target host.  

+## Configuring Harbor listening on a customized port
+By default, Harbor listens on port 80(HTTP) and 443(HTTPS, if configured) for both admin portal and docker commands, you can configure it with a customized one.  
+
+### For HTTP protocol
+
+1.Modify Deploy/docker-compose.yml  
+Replace the first "80" to a customized port, e.g. 8888:80.  
+
+```
+proxy:
+    image: library/nginx:1.9
+    restart: always
+    volumes:
+      - ./config/nginx:/etc/nginx
+    ports:
+      - 8888:80
+      - 443:443
+    depends_on:
+      - mysql
+      - registry
+      - ui
+      - log
+    logging:
+      driver: "syslog"
+      options:  
+        syslog-address: "tcp://127.0.0.1:1514"
+        tag: "proxy"
+```
+
+2.Modify Deploy/templates/registry/config.yml  
+Add the customized port, e.g. ":8888", after "$ui_url".  
+
+```  
+auth:
+  token:
+    issuer: registry-token-issuer
+    realm: $ui_url:8888/service/token
+    rootcertbundle: /etc/registry/root.crt
+    service: token-service
+```
+
+3.Execute Deploy/prepare script and start/restart Harbor.  
+```sh
+$ cd Deploy
+$ ./prepare
+# If Harbor has already been installed, shutdown it first:
+$ docker-compose down
+$ docker-compose up -d
+```
+### For HTTPS protocol
+1.Enable HTTPS in Harbor by following this [guide](https://github.com/vmware/harbor/blob/master/docs/configure_https.md).  
+2.Modify Deploy/docker-compose.yml  
+Replace the first "443" to a customized port, e.g. 4443:443.  
+
+```
+proxy:
+    image: library/nginx:1.9
+    restart: always
+    volumes:
+      - ./config/nginx:/etc/nginx
+    ports:
+      - 80:80
+      - 4443:443
+    depends_on:
+      - mysql
+      - registry
+      - ui
+      - log
+    logging:
+      driver: "syslog"
+      options:  
+        syslog-address: "tcp://127.0.0.1:1514"
+        tag: "proxy"
+```
+
+3.Modify Deploy/templates/registry/config.yml  
+Add the customized port, e.g. ":4443", after "$ui_url".  
+
+```  
+auth:
+  token:
+    issuer: registry-token-issuer
+    realm: $ui_url:4443/service/token
+    rootcertbundle: /etc/registry/root.crt
+    service: token-service
+```
+
+4.Execute Deploy/prepare script and start/restart Harbor.  
+```sh
+$ cd Deploy
+$ ./prepare
+# If Harbor has already been installed, shutdown it first:
+$ docker-compose down
+$ docker-compose up -d
+```
+
 ## Troubleshooting
 1.When setting up Harbor behind an nginx proxy or elastic load balancing, look for the line below, in `Deploy/config/nginx/nginx.conf` and remove it from the sections if the proxy already has similar settings: `location /`, `location /v2/` and `location /service/`.
 ```
--- a/docs/swagger.yaml
+++ b/docs/swagger.yaml
@ -765,7 +765,7 @@ definitions:
        type: integer
        format: int32
        description: The owner ID of the project always means the creator of the project.
-      name:
+      project_name:
        type: string
        description: The name of the project.
      creation_time:
--- a/service/token/authutils.go
+++ b/service/token/authutils.go
@ -21,6 +21,8 @@ import (
 	"encoding/base64"
 	"encoding/json"
 	"fmt"
+	"os"
+	"strconv"
 	"strings"
 	"time"

@ -34,9 +36,32 @@ import (
 const (
 	issuer     = "registry-token-issuer"
 	privateKey = "/etc/ui/private_key.pem"
-	expiration = 5 //minute
 )

+var (
+	expiration = 30 //minutes
+)
+
+func init() {
+	// TODO read it from config
+	expi := os.Getenv("TOKEN_EXPIRATION")
+	if len(expi) != 0 {
+		i, err := strconv.Atoi(expi)
+		if err != nil {
+			log.Errorf("failed to parse token expiration: %v, using default value: %d minutes", err, expiration)
+			return
+		}
+
+		if i <= 0 {
+			log.Warningf("invalid token expiration, using default value: %d minutes", expiration)
+			return
+		}
+
+		expiration = i
+	}
+	log.Infof("token expiration: %d minutes", expiration)
+}
+
 // GetResourceActions ...
 func GetResourceActions(scopes []string) []*token.ResourceActions {
 	log.Debugf("scopes: %+v", scopes)
--- a/static/resources/js/components/user/toggle-admin.directive.js
+++ b/static/resources/js/components/user/toggle-admin.directive.js
@ -28,7 +28,7 @@
    vm.isAdmin = (vm.hasAdminRole === 1);
    vm.enabled = vm.isAdmin ? 0 : 1;
    vm.toggle = toggle;
-    vm.editable = (vm.currentUser.user_id != vm.userId);
+    vm.editable = (vm.currentUser.user_id !== Number(vm.userId));
    
    function toggle() {
      ToggleAdminService(vm.userId, vm.enabled)