diff --git a/Makefile b/Makefile index 86a4a7beb..189878154 100644 --- a/Makefile +++ b/Makefile @@ -286,17 +286,21 @@ package_online: modify_composefile fi @cp LICENSE $(HARBORPKG)/LICENSE @cp NOTICE $(HARBORPKG)/NOTICE + @cp tools/migration/migration_cfg/upgrade $(HARBORPKG)/upgrade + @cp tools/migration/migration_cfg/harbor_1_1_0_template $(HARBORPKG)/harbor_1_1_0_template @if [ "$(NOTARYFLAG)" = "true" ] ; then \ $(TARCMD) -zcvf harbor-online-installer-$(GITTAGVERSION).tgz \ $(HARBORPKG)/common/templates $(HARBORPKG)/prepare \ $(HARBORPKG)/LICENSE $(HARBORPKG)/NOTICE \ + $(HARBORPKG)/upgrade $(HARBORPKG)/harbor_1_1_0_template \ $(HARBORPKG)/install.sh $(HARBORPKG)/$(DOCKERCOMPOSEFILENAME) \ $(HARBORPKG)/harbor.cfg $(HARBORPKG)/$(DOCKERCOMPOSENOTARYFILENAME); \ else \ $(TARCMD) -zcvf harbor-online-installer-$(GITTAGVERSION).tgz \ $(HARBORPKG)/common/templates $(HARBORPKG)/prepare \ $(HARBORPKG)/LICENSE $(HARBORPKG)/NOTICE \ + $(HARBORPKG)/upgrade $(HARBORPKG)/harbor_1_1_0_template \ $(HARBORPKG)/install.sh $(HARBORPKG)/$(DOCKERCOMPOSEFILENAME) \ $(HARBORPKG)/harbor.cfg ; \ fi @@ -310,6 +314,8 @@ package_offline: compile build modify_sourcefiles modify_composefile @cp LICENSE $(HARBORPKG)/LICENSE @cp NOTICE $(HARBORPKG)/NOTICE + @cp tools/migration/migration_cfg/upgrade $(HARBORPKG)/upgrade + @cp tools/migration/migration_cfg/harbor_1_1_0_template $(HARBORPKG)/harbor_1_1_0_template @echo "pulling nginx and registry..." @$(DOCKERPULL) vmware/registry:$(REGISTRYVERSION) @@ -346,12 +352,14 @@ package_offline: compile build modify_sourcefiles modify_composefile $(HARBORPKG)/common/templates $(HARBORPKG)/$(DOCKERIMGFILE).$(VERSIONTAG).tar.gz \ $(HARBORPKG)/prepare $(HARBORPKG)/NOTICE \ $(HARBORPKG)/LICENSE $(HARBORPKG)/install.sh \ + $(HARBORPKG)/upgrade $(HARBORPKG)/harbor_1_1_0_template \ $(HARBORPKG)/harbor.cfg $(HARBORPKG)/$(DOCKERCOMPOSEFILENAME) \ $(HARBORPKG)/$(DOCKERCOMPOSENOTARYFILENAME) ; \ else \ $(TARCMD) -zcvf harbor-offline-installer-$(GITTAGVERSION).tgz \ $(HARBORPKG)/common/templates $(HARBORPKG)/$(DOCKERIMGFILE).$(VERSIONTAG).tar.gz \ $(HARBORPKG)/prepare $(HARBORPKG)/NOTICE \ + $(HARBORPKG)/upgrade $(HARBORPKG)/harbor_1_1_0_template \ $(HARBORPKG)/LICENSE $(HARBORPKG)/install.sh \ $(HARBORPKG)/harbor.cfg $(HARBORPKG)/$(DOCKERCOMPOSEFILENAME) ; \ fi diff --git a/docs/installation_guide.md b/docs/installation_guide.md index 587665a45..a3d5342b2 100644 --- a/docs/installation_guide.md +++ b/docs/installation_guide.md @@ -10,7 +10,7 @@ All installers can be downloaded from the **[official release](https://github.co This guide describes the steps to install and configure Harbor by using the online or offline installer. The installation processes are almost the same. -If you run a previous version of Harbor, you may need to migrate the data to fit the new database schema. For more details, please refer to **[Data Migration Guide](migration_guide.md)**. +If you run a previous version of Harbor, you may need to update ```harbor.cfg``` and migrate the data to fit the new database schema. For more details, please refer to **[Harbor Migration Guide](migration_guide.md)**. In addition, the deployment instructions on Kubernetes has been created by the community. Refer to [Harbor on Kubernetes](kubernetes_deployment.md) for details. @@ -46,8 +46,14 @@ Offline installer: Configuration parameters are located in the file **harbor.cfg**. There are two categories of parameters in harbor.cfg, **required parameters** and **optional parameters**. -* **required parameters**: These parameters are required to be set in the configuration file, and they will take effect if a user updates them in harbor.cfg, rerun the ```install.sh``` script to reinstall Harbor. -* **optional parameters**: These parameters are optional, and only take effect in the initial installation. The user can leave them blank and update them on Web UI after Harbor is started. Subsequent update to these parameters in ```harbor.cfg``` will be ignored. +* **required parameters**: These parameters are required to be set in the configuration file. They will take effect if a user updates them in ```harbor.cfg``` and run the ```install.sh``` script to reinstall Harbor. +* **optional parameters**: These parameters are optional. If they are set in ```harbor.cfg```, they only take effect in the first launch of Harbor. +Subsequent update to these parameters in ```harbor.cfg``` will be ignored. +The user can leave them blank and update them on Web UI after Harbor is started. + + **Note:** If you choose to set these parameters via the UI, be sure to do so right after Harbor +is started. In particular, you must set the desired **auth_mode** before registering or creating any new users in Harbor. When there are users in the system (besides the default admin user), +**auth_mode** cannot be changed. The parameters are described below - note that at the very least, you will need to change the **hostname** attribute. @@ -72,7 +78,11 @@ The parameters are described below - note that at the very least, you will need * email_ssl = false * **harbor_admin_password**: The administrator's initial password. This password only takes effect for the first time Harbor launches. After that, this setting is ignored and the administrator's password should be set in the UI. _Note that the default username/password are **admin/Harbor12345** ._ -* **auth_mode**: The type of authentication that is used. By default, it is **db_auth**, i.e. the credentials are stored in a database. For LDAP authentication, set this to **ldap_auth**. +* **auth_mode**: The type of authentication that is used. By default, it is **db_auth**, i.e. the credentials are stored in a database. +For LDAP authentication, set this to **ldap_auth**. + + **IMPORTANT:** When upgrading from an existing Harbor instance, you must make sure **auth_mode** is the same in ```harbor.cfg``` before launching the new version of Harbor. Otherwise, users +may not be able to log in after the upgrade. * **ldap_url**: The LDAP endpoint URL (e.g. `ldaps://ldap.mydomain.com`). _Only used when **auth_mode** is set to *ldap_auth* ._ * **ldap_searchdn**: The DN of a user who has the permission to search an LDAP/AD server (e.g. `uid=admin,ou=people,dc=mydomain,dc=com`). * **ldap_search_pwd**: The password of the user specified by *ldap_searchdn*. @@ -110,14 +120,14 @@ _NOTE: For detailed information on storage backend of a registry, refer to [Regi #### Finishing installation and starting Harbor Once **harbor.cfg** and storage backend (optional) are configured, install and start Harbor using the ```install.sh``` script. Note that it may take some time for the online installer to download Harbor images from Docker hub. -##### Default installation -After version 1.1.0, Harbor has integrated with Notary, but by default the installation does not include notary support. +##### Default installation (without Notary) +After version 1.1.0, Harbor has integrated with Notary, but by default the installation does not include Notary service. ```sh $ sudo ./install.sh ``` -If everything worked properly, you should be able to open a browser to visit the admin portal at **http://reg.yourdomain.com** (change *reg.yourdomain.com* to the hostname configured in your harbor.cfg). Note that the default administrator username/password are admin/Harbor12345 . +If everything worked properly, you should be able to open a browser to visit the admin portal at **http://reg.yourdomain.com** (change *reg.yourdomain.com* to the hostname configured in your ```harbor.cfg```). Note that the default administrator username/password are admin/Harbor12345 . Log in to the admin portal and create a new project, e.g. `myproject`. You can then use docker commands to login and push images (By default, the registry server listens on port 80): ```sh @@ -127,13 +137,13 @@ $ docker push reg.yourdomain.com/myproject/myrepo:mytag **IMPORTANT:** The default installation of Harbor uses _HTTP_ - as such, you will need to add the option `--insecure-registry` to your client's Docker daemon and restart the Docker service. ##### Installation with Notary -To install Harbor with Notary support, add a parameter when you run ```install.sh``` +To install Harbor with Notary service, add a parameter when you run ```install.sh```: ```sh $ sudo ./install.sh --with-notary ``` -**Note**: For installation with Notary the parameter "ui_url_protocol" must be set to "https", for configuring HTTPS certificate please refer to the following sections. +**Note**: For installation with Notary the parameter **ui_url_protocol** must be set to "https". For configuring HTTPS please refer to the following sections. -More information about Notary and Docker Content Trust, please refer to docker's documentation: +More information about Notary and Docker Content Trust, please refer to Docker's documentation: https://docs.docker.com/engine/security/trust/content_trust/ For information on how to use Harbor, please refer to **[User Guide of Harbor](user_guide.md)** . @@ -166,7 +176,7 @@ Starting registry ... done Starting proxy ... done ``` -To change Harbor's configuration, first stop existing Harbor instance, update harbor.cfg, and then run prepare script to populate the configuration, and then re-create and start Harbor's instance: +To change Harbor's configuration, first stop existing Harbor instance and update ```harbor.cfg```. Then run ```prepare``` script to populate the configuration. Finally re-create and start Harbor's instance: ``` $ sudo docker-compose down -v $ vim harbor.cfg @@ -187,11 +197,11 @@ $ rm -r /data/registry #### _Managing lifecycle of Harbor when it's installed with Notary_ -When Harbor is installed with Notary, user needs to add extra template file ```docker-compose.notary.yml``` to docker-compose command, so the docker-compose commands to manage the lifecycle of Harbor will be: +When Harbor is installed with Notary, an extra template file ```docker-compose.notary.yml``` is needed for docker-compose commands. The docker-compose commands to manage the lifecycle of Harbor are: ``` $ sudo docker-compose -f ./docker-compose.yml -f ./docker-compose.notary.yml [ up|down|ps|stop|start ] ``` -For example, if user want's to change ```harbor.cfg``` and re-deploy Harbor when it's installed with Notary, the following commands should be used: +For example, if you want to change configuration in ```harbor.cfg``` and re-deploy Harbor when it's installed with Notary, the following commands should be used: ```sh $ sudo docker-compose -f ./docker-compose.yml -f ./docker-compose.notary.yml down -v $ vim harbor.cfg @@ -202,7 +212,7 @@ $ sudo docker-compose -f ./docker-compose.yml -f ./docker-compose.notary.yml up Please check the [Docker Compose command-line reference](https://docs.docker.com/compose/reference/) for more on docker-compose. ### Persistent data and log files -By default, registry data is persisted in the target host's `/data/` directory. This data remains unchanged even when Harbor's containers are removed and/or recreated. +By default, registry data is persisted in the host's `/data/` directory. This data remains unchanged even when Harbor's containers are removed and/or recreated. In addition, Harbor uses *rsyslog* to collect the logs of each container. By default, these log files are stored in the directory `/var/log/harbor/` on the target host for troubleshooting. diff --git a/docs/migration_guide.md b/docs/migration_guide.md index 081fb0875..7d5bc8194 100644 --- a/docs/migration_guide.md +++ b/docs/migration_guide.md @@ -1,6 +1,6 @@ # Harbor upgrade and database migration guide -When upgrading your existing Habor instance to a newer version, you may need to migrate the data in your database. Refer to [change log](../migration/changelog.md) to find out whether there is any change in the database. If there is, you should go through the database migration process. Since the migration may alter the database schema, you should **always** back up your data before any migration. +When upgrading your existing Habor instance to a newer version, you may need to migrate the data in your database. Refer to [change log](../migration/changelog.md) to find out whether there is any change in the database. If there is, you should go through the database migration process. Since the migration may alter the database schema, you should **always** back up your data before any migration. *If your install Harbor for the first time, or the database version is the same as that of the lastest version, you do not need any database migration.* @@ -11,7 +11,7 @@ When upgrading your existing Habor instance to a newer version, you may need to 1. Log in to the host that Harbor runs on, stop and remove existing Harbor instance if it is still running: - ``` + ``` cd harbor docker-compose down ``` @@ -24,7 +24,7 @@ When upgrading your existing Habor instance to a newer version, you may need to 3. Get the lastest Harbor release package from Github: https://github.com/vmware/harbor/releases - + 4. Before upgrading Harbor, perform database migration first. The migration tool is delivered as a docker image, so you should pull the image from docker hub: ``` @@ -43,20 +43,32 @@ When upgrading your existing Habor instance to a newer version, you may need to docker run -ti --rm -e DB_USR=root -e DB_PWD=xxxx -v /data/database:/var/lib/mysql vmware/harbor-db-migrator up head ``` -7. Unzip the new Harbor package and change to `./harbor` as the working directory. Configure Harbor by modifying the file `harbor.cfg`, -you may need to refer to the configuration files you've backed up during step 2. -Refer to [Installation & Configuration Guide ](../docs/installation_guide.md) for more information. -Since the content and format of `harbor.cfg` may have been changed in the new release, **DO NOT directly copy `harbor.cfg` from previous version of Harbor.** +7. Unzip the new Harbor package and change to `./harbor` as the working directory. Configure Harbor by modifying the file `harbor.cfg`, + - Configure Harbor by modifying the file `harbor.cfg`, +you may need to refer to the configuration files you've backed up during step 2. +Refer to [Installation & Configuration Guide ](../docs/installation_guide.md) for more information. +Since the content and format of `harbor.cfg` may have been changed in the new release, **DO NOT directly copy `harbor.cfg` from previous version of Harbor.** + + **IMPORTANT:** If you are upgrading a Harbor instance with LDAP/AD authentication, +you must make sure **auth_mode** is set to **ldap_auth** in `harbor.cfg` before launching the new version of Harbor. Otherwise, users may not be able to log in after the upgrade. + + - To assist you in migrating the `harbor.cfg` file from v0.5.0 to v1.1.x, a script is provided and described as below. For other versions of Harbor, you need to manually migrate the file `harbor.cfg`. + + ``` + cd harbor + ./upgrade --source-loc source_harbor_cfg_loc --source-version 0.5.0 --target-loc target_harbor_cfg_loc --target-version 1.1.x + ``` + **NOTE:** After running the script, make sure you go through `harbor.cfg` to verify all the settings are correct. You can make changes to `harbor.cfg` as needed. 8. Under the directory `./harbor`, run the `./install.sh` script to install the new Harbor instance. - + ### Roll back from an upgrade For any reason, if you want to roll back to the previous version of Harbor, follow the below steps: 1. Stop and remove the current Harbor service if it is still running. - ``` + ``` cd harbor docker-compose down ``` @@ -67,11 +79,11 @@ For any reason, if you want to roll back to the previous version of Harbor, foll ``` 3. Remove current Harbor instance. - ``` + ``` rm -rf harbor ``` -4. Restore the older version package of Harbor. +4. Restore the older version package of Harbor. ```sh mv /tmp/harbor harbor ``` @@ -88,13 +100,12 @@ For any reason, if you want to roll back to the previous version of Harbor, foll cd harbor docker-compose up --build -d ``` - + ### Migration tool reference - Use `help` command to show instructions of the migration tool: ```docker run --rm -e DB_USR=root -e DB_PWD=xxxx vmware/harbor-db-migrator help``` - + - Use `test` command to test mysql connection: ```docker run --rm -e DB_USR=root -e DB_PWD=xxxx -v /data/database:/var/lib/mysql vmware/harbor-db-migrator test``` - diff --git a/src/common/dao/dao_test.go b/src/common/dao/dao_test.go index d3ea777b4..8f40406f2 100644 --- a/src/common/dao/dao_test.go +++ b/src/common/dao/dao_test.go @@ -22,6 +22,7 @@ import ( "github.com/astaxie/beego/orm" //"github.com/vmware/harbor/src/common/config" + "github.com/stretchr/testify/assert" "github.com/vmware/harbor/src/common/models" "github.com/vmware/harbor/src/common/utils" "github.com/vmware/harbor/src/common/utils/log" @@ -402,6 +403,10 @@ func TestGetUser(t *testing.T) { if currentUser.Email != "tester01@vmware.com" { t.Errorf("the user's email does not match, expected: tester01@vmware.com, actual: %s", currentUser.Email) } + + queryUser = models.User{} + _, err = GetUser(queryUser) + assert.NotNil(t, err) } func TestListUsers(t *testing.T) { diff --git a/src/common/dao/user.go b/src/common/dao/user.go index 8f757a8a8..46f7fe29a 100644 --- a/src/common/dao/user.go +++ b/src/common/dao/user.go @@ -60,6 +60,10 @@ func GetUser(query models.User) (*models.User, error) { return nil, nil } + if n > 1 { + return nil, fmt.Errorf("got more than one user when executing: %s param: %v", sql, queryParam) + } + return &u[0], nil } diff --git a/src/common/models/ldap.go b/src/common/models/ldap.go index 5429426d0..e26cdfe3f 100644 --- a/src/common/models/ldap.go +++ b/src/common/models/ldap.go @@ -31,6 +31,7 @@ type LdapUser struct { Username string `json:"ldap_username"` Email string `json:"ldap_email"` Realname string `json:"ldap_realname"` + DN string `json:"-"` } //LdapImportUser ... diff --git a/src/common/utils/ldap/ldap.go b/src/common/utils/ldap/ldap.go index 8d053e467..7bda13a54 100644 --- a/src/common/utils/ldap/ldap.go +++ b/src/common/utils/ldap/ldap.go @@ -31,8 +31,6 @@ import ( goldap "gopkg.in/ldap.v2" ) -var attributes = []string{"uid", "cn", "mail", "email"} - // GetSystemLdapConf ... func GetSystemLdapConf() (models.LdapConf, error) { var err error @@ -153,7 +151,7 @@ func ConnectTest(ldapConfs models.LdapConf) error { var ldapConn *goldap.Conn var err error - ldapConn, err = dialLDAP(ldapConfs, ldapConn) + ldapConn, err = dialLDAP(ldapConfs) if err != nil { return err @@ -177,7 +175,7 @@ func SearchUser(ldapConfs models.LdapConf) ([]models.LdapUser, error) { var ldapConn *goldap.Conn var err error - ldapConn, err = dialLDAP(ldapConfs, ldapConn) + ldapConn, err = dialLDAP(ldapConfs) if err != nil { return nil, err @@ -205,8 +203,9 @@ func SearchUser(ldapConfs models.LdapConf) ([]models.LdapUser, error) { var u models.LdapUser for _, attr := range ldapEntry.Attributes { val := attr.Values[0] - switch attr.Name { - case ldapConfs.LdapUID: + log.Debugf("Current ldap entry attr name: %s\n", attr.Name) + switch strings.ToLower(attr.Name) { + case strings.ToLower(ldapConfs.LdapUID): u.Username = val case "uid": u.Realname = val @@ -218,6 +217,7 @@ func SearchUser(ldapConfs models.LdapConf) ([]models.LdapUser, error) { u.Email = val } } + u.DN = ldapEntry.DN ldapUsers = append(ldapUsers, u) } @@ -313,11 +313,25 @@ func ImportUser(user models.LdapUser) (int64, error) { return UserID, nil } -func dialLDAP(ldapConfs models.LdapConf, ldap *goldap.Conn) (*goldap.Conn, error) { +// Bind establish a connection to ldap based on ldapConfs and bind the user with given parameters. +func Bind(ldapConfs models.LdapConf, dn string, password string) error { + conn, err := dialLDAP(ldapConfs) + if err != nil { + return err + } + defer conn.Close() + if ldapConfs.LdapSearchDn != "" { + if err := bindLDAPSearchDN(ldapConfs, conn); err != nil { + return err + } + } + return conn.Bind(dn, password) +} + +func dialLDAP(ldapConfs models.LdapConf) (*goldap.Conn, error) { + var err error - - //log.Debug("ldapConfs.LdapURL:", ldapConfs.LdapURL) - + var ldap *goldap.Conn splitLdapURL := strings.Split(ldapConfs.LdapURL, "://") protocol, hostport := splitLdapURL[0], splitLdapURL[1] @@ -358,6 +372,11 @@ func searchLDAP(ldapConfs models.LdapConf, ldap *goldap.Conn) (*goldap.SearchRes ldapScope := ldapConfs.LdapScope ldapFilter := ldapConfs.LdapFilter + attributes := []string{"uid", "cn", "mail", "email"} + lowerUID := strings.ToLower(ldapConfs.LdapUID) + if lowerUID != "uid" && lowerUID != "cn" && lowerUID != "mail" && lowerUID != "email" { + attributes = append(attributes, ldapConfs.LdapUID) + } searchRequest := goldap.NewSearchRequest( ldapBaseDn, ldapScope, diff --git a/src/ui/auth/ldap/ldap.go b/src/ui/auth/ldap/ldap.go index 7b2132f7a..16f8cb48b 100644 --- a/src/ui/auth/ldap/ldap.go +++ b/src/ui/auth/ldap/ldap.go @@ -75,6 +75,13 @@ func (l *Auth) Authenticate(m models.AuthModel) (*models.User, error) { u.Email = ldapUsers[0].Email u.Realname = ldapUsers[0].Realname + dn := ldapUsers[0].DN + + log.Debugf("username: %s, dn: %s", u.Username, dn) + if err := ldapUtils.Bind(ldapConfs, dn, m.Password); err != nil { + log.Warningf("Failed to bind user, username: %s, dn: %s, error: %v", u.Username, dn, err) + return nil, nil + } exist, err := dao.UserExists(u, "username") if err != nil { return nil, err @@ -87,11 +94,6 @@ func (l *Auth) Authenticate(m models.AuthModel) (*models.User, error) { } u.UserID = currentUser.UserID } else { - // u.Password = "12345678AbC" - // u.Comment = "from LDAP." - // if u.Email == "" { - // u.Email = u.Username + "@placeholder.com" - // } userID, err := ldapUtils.ImportUser(ldapUsers[0]) if err != nil { log.Errorf("Can't import user %s, error: %v", ldapUsers[0].Username, err) diff --git a/src/ui/auth/ldap/ldap_test.go b/src/ui/auth/ldap/ldap_test.go index 02ed47e53..e979c9d11 100644 --- a/src/ui/auth/ldap/ldap_test.go +++ b/src/ui/auth/ldap/ldap_test.go @@ -122,4 +122,13 @@ func TestAuthenticate(t *testing.T) { if user.Username != "test" { t.Errorf("unexpected ldap user authenticate fail: %s = %s", "user.Username", user.Username) } + person.Principal = "test" + person.Password = "1" + user, err = auth.Authenticate(person) + if err != nil { + t.Errorf("unexpected ldap error: %v", err) + } + if user != nil { + t.Errorf("Nil user expected for wrong password") + } } diff --git a/src/ui_ng/src/app/base/navigator/navigator.component.ts b/src/ui_ng/src/app/base/navigator/navigator.component.ts index c041b834f..1b5938f1c 100644 --- a/src/ui_ng/src/app/base/navigator/navigator.component.ts +++ b/src/ui_ng/src/app/base/navigator/navigator.component.ts @@ -93,9 +93,10 @@ export class NavigatorComponent implements OnInit { } public get canChangePassword(): boolean { - return this.session.getCurrentUser() && - this.appConfigService.getConfig() && - this.appConfigService.getConfig().auth_mode != 'ldap_auth'; + let user = this.session.getCurrentUser(); + let config = this.appConfigService.getConfig(); + + return user && ((config && config.auth_mode != 'ldap_auth') || (user.user_id === 1 && user.username === 'admin')); } matchLang(lang: string): boolean { diff --git a/src/ui_ng/src/app/config/auth/config-auth.component.html b/src/ui_ng/src/app/config/auth/config-auth.component.html index 8a9d81a36..1a7b135a3 100644 --- a/src/ui_ng/src/app/config/auth/config-auth.component.html +++ b/src/ui_ng/src/app/config/auth/config-auth.component.html @@ -29,10 +29,9 @@