mirror of
https://github.com/goharbor/harbor.git
synced 2025-01-21 15:11:24 +01:00
Merge pull request #5221 from stonezdj/admin_with_ldap_group
Add settings to define admin with ldap_group_admin_dn
This commit is contained in:
commit
d65a7baf7e
@ -3494,6 +3494,9 @@ definitions:
|
|||||||
ldap_group_search_scope:
|
ldap_group_search_scope:
|
||||||
type: integer
|
type: integer
|
||||||
description: The scope to search ldap. '0-LDAP_SCOPE_BASE, 1-LDAP_SCOPE_ONELEVEL, 2-LDAP_SCOPE_SUBTREE'
|
description: The scope to search ldap. '0-LDAP_SCOPE_BASE, 1-LDAP_SCOPE_ONELEVEL, 2-LDAP_SCOPE_SUBTREE'
|
||||||
|
ldap_group_admin_dn:
|
||||||
|
type: string
|
||||||
|
description: Specify the ldap group which have the same privilege with Harbor admin.
|
||||||
project_creation_restriction:
|
project_creation_restriction:
|
||||||
type: string
|
type: string
|
||||||
description: >-
|
description: >-
|
||||||
|
@ -61,3 +61,4 @@ REGISTRY_STORAGE_PROVIDER_NAME=$storage_provider_name
|
|||||||
READ_ONLY=false
|
READ_ONLY=false
|
||||||
SKIP_RELOAD_ENV_PATTERN=$skip_reload_env_pattern
|
SKIP_RELOAD_ENV_PATTERN=$skip_reload_env_pattern
|
||||||
RELOAD_KEY=$reload_key
|
RELOAD_KEY=$reload_key
|
||||||
|
LDAP_GROUP_ADMIN_DN=$ldap_group_admin_dn
|
@ -344,6 +344,8 @@ else:
|
|||||||
#Use reload_key to avoid reload config after restart harbor
|
#Use reload_key to avoid reload config after restart harbor
|
||||||
reload_key = ''.join(random.choice(string.ascii_uppercase + string.digits) for _ in range(6)) if reload_config == "true" else ""
|
reload_key = ''.join(random.choice(string.ascii_uppercase + string.digits) for _ in range(6)) if reload_config == "true" else ""
|
||||||
|
|
||||||
|
ldap_group_admin_dn = rcp.get("configuration", "ldap_group_admin_dn") if rcp.has_option("configuration", "ldap_group_admin_dn") else ""
|
||||||
|
|
||||||
render(os.path.join(templates_dir, "adminserver", "env"),
|
render(os.path.join(templates_dir, "adminserver", "env"),
|
||||||
adminserver_conf_env,
|
adminserver_conf_env,
|
||||||
reload_config=reload_config,
|
reload_config=reload_config,
|
||||||
@ -364,6 +366,7 @@ render(os.path.join(templates_dir, "adminserver", "env"),
|
|||||||
ldap_group_filter=ldap_group_filter,
|
ldap_group_filter=ldap_group_filter,
|
||||||
ldap_group_gid=ldap_group_gid,
|
ldap_group_gid=ldap_group_gid,
|
||||||
ldap_group_scope=ldap_group_scope,
|
ldap_group_scope=ldap_group_scope,
|
||||||
|
ldap_group_admin_dn=ldap_group_admin_dn,
|
||||||
db_password=db_password,
|
db_password=db_password,
|
||||||
db_host=db_host,
|
db_host=db_host,
|
||||||
db_user=db_user,
|
db_user=db_user,
|
||||||
|
@ -163,7 +163,8 @@ var (
|
|||||||
env: "READ_ONLY",
|
env: "READ_ONLY",
|
||||||
parse: parseStringToBool,
|
parse: parseStringToBool,
|
||||||
},
|
},
|
||||||
common.ReloadKey: "RELOAD_KEY",
|
common.ReloadKey: "RELOAD_KEY",
|
||||||
|
common.LdapGroupAdminDn: "LDAP_GROUP_ADMIN_DN",
|
||||||
}
|
}
|
||||||
|
|
||||||
// configurations need read from environment variables
|
// configurations need read from environment variables
|
||||||
|
@ -108,4 +108,5 @@ const (
|
|||||||
DefaultNotaryEndpoint = "http://notary-server:4443"
|
DefaultNotaryEndpoint = "http://notary-server:4443"
|
||||||
LdapGroupType = 1
|
LdapGroupType = 1
|
||||||
ReloadKey = "reload_key"
|
ReloadKey = "reload_key"
|
||||||
|
LdapGroupAdminDn = "ldap_group_admin_dn"
|
||||||
)
|
)
|
||||||
|
@ -33,6 +33,7 @@ type LdapGroupConf struct {
|
|||||||
LdapGroupFilter string `json:"ldap_group_filter,omitempty"`
|
LdapGroupFilter string `json:"ldap_group_filter,omitempty"`
|
||||||
LdapGroupNameAttribute string `json:"ldap_group_name_attribute,omitempty"`
|
LdapGroupNameAttribute string `json:"ldap_group_name_attribute,omitempty"`
|
||||||
LdapGroupSearchScope int `json:"ldap_group_search_scope"`
|
LdapGroupSearchScope int `json:"ldap_group_search_scope"`
|
||||||
|
LdapGroupAdminDN string `json:"ldap_group_admin_dn,omitempty"`
|
||||||
}
|
}
|
||||||
|
|
||||||
// LdapUser ...
|
// LdapUser ...
|
||||||
|
@ -27,6 +27,7 @@ import (
|
|||||||
ldapUtils "github.com/vmware/harbor/src/common/utils/ldap"
|
ldapUtils "github.com/vmware/harbor/src/common/utils/ldap"
|
||||||
"github.com/vmware/harbor/src/common/utils/log"
|
"github.com/vmware/harbor/src/common/utils/log"
|
||||||
"github.com/vmware/harbor/src/ui/auth"
|
"github.com/vmware/harbor/src/ui/auth"
|
||||||
|
"github.com/vmware/harbor/src/ui/config"
|
||||||
)
|
)
|
||||||
|
|
||||||
// Auth implements AuthenticateHelper interface to authenticate against LDAP
|
// Auth implements AuthenticateHelper interface to authenticate against LDAP
|
||||||
@ -84,8 +85,17 @@ func (l *Auth) Authenticate(m models.AuthModel) (*models.User, error) {
|
|||||||
return nil, auth.NewErrAuth(err.Error())
|
return nil, auth.NewErrAuth(err.Error())
|
||||||
}
|
}
|
||||||
|
|
||||||
|
//Retrieve ldap related info in login to avoid too many traffic with LDAP server.
|
||||||
|
//Get group admin dn
|
||||||
|
groupCfg, err := config.LDAPGroupConf()
|
||||||
|
groupAdminDN := strings.TrimSpace(groupCfg.LdapGroupAdminDN)
|
||||||
//Attach user group
|
//Attach user group
|
||||||
for _, groupDN := range ldapUsers[0].GroupDNList {
|
for _, groupDN := range ldapUsers[0].GroupDNList {
|
||||||
|
|
||||||
|
if len(groupAdminDN) > 0 && groupAdminDN == groupDN {
|
||||||
|
u.HasAdminRole = true
|
||||||
|
}
|
||||||
|
|
||||||
userGroupQuery := models.UserGroup{
|
userGroupQuery := models.UserGroup{
|
||||||
GroupType: 1,
|
GroupType: 1,
|
||||||
LdapGroupDN: groupDN,
|
LdapGroupDN: groupDN,
|
||||||
@ -210,7 +220,8 @@ func (l *Auth) PostAuthenticate(u *models.User) error {
|
|||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
u.UserID = dbUser.UserID
|
u.UserID = dbUser.UserID
|
||||||
u.HasAdminRole = dbUser.HasAdminRole
|
//If user has admin role already, do not overwrite by user info in DB.
|
||||||
|
u.HasAdminRole = u.HasAdminRole || dbUser.HasAdminRole
|
||||||
|
|
||||||
if dbUser.Email != u.Email {
|
if dbUser.Email != u.Email {
|
||||||
Re := regexp.MustCompile(`^[a-z0-9._%+\-]+@[a-z0-9.\-]+\.[a-z]{2,4}$`)
|
Re := regexp.MustCompile(`^[a-z0-9._%+\-]+@[a-z0-9.\-]+\.[a-z]{2,4}$`)
|
||||||
|
@ -69,6 +69,7 @@ var adminServerLdapTestConfig = map[string]interface{}{
|
|||||||
common.LDAPGroupBaseDN: "dc=example,dc=com",
|
common.LDAPGroupBaseDN: "dc=example,dc=com",
|
||||||
common.LDAPGroupAttributeName: "cn",
|
common.LDAPGroupAttributeName: "cn",
|
||||||
common.LDAPGroupSearchScope: 2,
|
common.LDAPGroupSearchScope: 2,
|
||||||
|
common.LdapGroupAdminDn: "cn=harbor_users,ou=groups,dc=example,dc=com",
|
||||||
}
|
}
|
||||||
|
|
||||||
func TestMain(m *testing.M) {
|
func TestMain(m *testing.M) {
|
||||||
@ -181,6 +182,38 @@ func TestSearchUser(t *testing.T) {
|
|||||||
t.Errorf("Search user failed %v", user)
|
t.Errorf("Search user failed %v", user)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
func TestAuthenticateWithAdmin(t *testing.T) {
|
||||||
|
var person models.AuthModel
|
||||||
|
var authHelper *Auth
|
||||||
|
person.Principal = "mike"
|
||||||
|
person.Password = "zhu88jie"
|
||||||
|
user, err := authHelper.Authenticate(person)
|
||||||
|
if err != nil {
|
||||||
|
t.Errorf("unexpected ldap authenticate fail: %v", err)
|
||||||
|
}
|
||||||
|
if user.Username != "mike" {
|
||||||
|
t.Errorf("unexpected ldap user authenticate fail: %s = %s", "user.Username", user.Username)
|
||||||
|
}
|
||||||
|
if !user.HasAdminRole {
|
||||||
|
t.Errorf("ldap user mike should have admin role!")
|
||||||
|
}
|
||||||
|
}
|
||||||
|
func TestAuthenticateWithoutAdmin(t *testing.T) {
|
||||||
|
var person models.AuthModel
|
||||||
|
var authHelper *Auth
|
||||||
|
person.Principal = "user001"
|
||||||
|
person.Password = "zhu88jie"
|
||||||
|
user, err := authHelper.Authenticate(person)
|
||||||
|
if err != nil {
|
||||||
|
t.Errorf("unexpected ldap authenticate fail: %v", err)
|
||||||
|
}
|
||||||
|
if user.Username != "user001" {
|
||||||
|
t.Errorf("unexpected ldap user authenticate fail: %s = %s", "user.Username", user.Username)
|
||||||
|
}
|
||||||
|
if user.HasAdminRole {
|
||||||
|
t.Errorf("ldap user user001 should not have admin role!")
|
||||||
|
}
|
||||||
|
}
|
||||||
func TestSearchUser_02(t *testing.T) {
|
func TestSearchUser_02(t *testing.T) {
|
||||||
var username = "nonexist"
|
var username = "nonexist"
|
||||||
var auth *Auth
|
var auth *Auth
|
||||||
|
@ -249,6 +249,9 @@ func LDAPGroupConf() (*models.LdapGroupConf, error) {
|
|||||||
ldapGroupConf.LdapGroupSearchScope = int(scopeFloat)
|
ldapGroupConf.LdapGroupSearchScope = int(scopeFloat)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
if _, ok := cfg[common.LdapGroupAdminDn]; ok {
|
||||||
|
ldapGroupConf.LdapGroupAdminDN = cfg[common.LdapGroupAdminDn].(string)
|
||||||
|
}
|
||||||
return ldapGroupConf, nil
|
return ldapGroupConf, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user