Merge remote-tracking branch 'upstream/release-1.1.0' into 170424_ldap_fix

This commit is contained in:
Wenkai Yin 2017-04-26 15:29:04 +08:00
commit f92b17e8b9
12 changed files with 119 additions and 49 deletions

12
.gitignore vendored
View File

@ -27,5 +27,17 @@ src/ui_ng/typings/
**/node_modules
**/ssl/
**/proxy.config.json
src/ui_ng/src/**/*.js
src/ui_ng/src/**/*.js.map
src/ui_ng/src/**/*.json
**/npm*.log
src/ui_ng/aot/**/*.js
src/ui_ng/aot/**/*.js.map
src/ui_ng/aot/**/*.json
**/*ngsummary.json
**/*ngfactory.ts
**/aot

View File

@ -282,17 +282,21 @@ package_online: modify_composefile
fi
@cp LICENSE $(HARBORPKG)/LICENSE
@cp NOTICE $(HARBORPKG)/NOTICE
@cp tools/migration/migration_cfg/upgrade $(HARBORPKG)/upgrade
@cp tools/migration/migration_cfg/harbor_1_1_0_template $(HARBORPKG)/harbor_1_1_0_template
@if [ "$(NOTARYFLAG)" = "true" ] ; then \
$(TARCMD) -zcvf harbor-online-installer-$(GITTAGVERSION).tgz \
$(HARBORPKG)/common/templates $(HARBORPKG)/prepare \
$(HARBORPKG)/LICENSE $(HARBORPKG)/NOTICE \
$(HARBORPKG)/upgrade $(HARBORPKG)/harbor_1_1_0_template \
$(HARBORPKG)/install.sh $(HARBORPKG)/$(DOCKERCOMPOSEFILENAME) \
$(HARBORPKG)/harbor.cfg $(HARBORPKG)/$(DOCKERCOMPOSENOTARYFILENAME); \
else \
$(TARCMD) -zcvf harbor-online-installer-$(GITTAGVERSION).tgz \
$(HARBORPKG)/common/templates $(HARBORPKG)/prepare \
$(HARBORPKG)/LICENSE $(HARBORPKG)/NOTICE \
$(HARBORPKG)/upgrade $(HARBORPKG)/harbor_1_1_0_template \
$(HARBORPKG)/install.sh $(HARBORPKG)/$(DOCKERCOMPOSEFILENAME) \
$(HARBORPKG)/harbor.cfg ; \
fi
@ -306,6 +310,8 @@ package_offline: compile build modify_sourcefiles modify_composefile
@cp LICENSE $(HARBORPKG)/LICENSE
@cp NOTICE $(HARBORPKG)/NOTICE
@cp tools/migration/migration_cfg/upgrade $(HARBORPKG)/upgrade
@cp tools/migration/migration_cfg/harbor_1_1_0_template $(HARBORPKG)/harbor_1_1_0_template
@echo "pulling nginx and registry..."
@$(DOCKERPULL) vmware/registry:$(REGISTRYVERSION)
@ -342,12 +348,14 @@ package_offline: compile build modify_sourcefiles modify_composefile
$(HARBORPKG)/common/templates $(HARBORPKG)/$(DOCKERIMGFILE).$(VERSIONTAG).tar.gz \
$(HARBORPKG)/prepare $(HARBORPKG)/NOTICE \
$(HARBORPKG)/LICENSE $(HARBORPKG)/install.sh \
$(HARBORPKG)/upgrade $(HARBORPKG)/harbor_1_1_0_template \
$(HARBORPKG)/harbor.cfg $(HARBORPKG)/$(DOCKERCOMPOSEFILENAME) \
$(HARBORPKG)/$(DOCKERCOMPOSENOTARYFILENAME) ; \
else \
$(TARCMD) -zcvf harbor-offline-installer-$(GITTAGVERSION).tgz \
$(HARBORPKG)/common/templates $(HARBORPKG)/$(DOCKERIMGFILE).$(VERSIONTAG).tar.gz \
$(HARBORPKG)/prepare $(HARBORPKG)/NOTICE \
$(HARBORPKG)/upgrade $(HARBORPKG)/harbor_1_1_0_template \
$(HARBORPKG)/LICENSE $(HARBORPKG)/install.sh \
$(HARBORPKG)/harbor.cfg $(HARBORPKG)/$(DOCKERCOMPOSEFILENAME) ; \
fi

View File

@ -10,7 +10,7 @@ All installers can be downloaded from the **[official release](https://github.co
This guide describes the steps to install and configure Harbor by using the online or offline installer. The installation processes are almost the same.
If you run a previous version of Harbor, you may need to migrate the data to fit the new database schema. For more details, please refer to **[Data Migration Guide](migration_guide.md)**.
If you run a previous version of Harbor, you may need to update ```harbor.cfg``` and migrate the data to fit the new database schema. For more details, please refer to **[Harbor Migration Guide](migration_guide.md)**.
In addition, the deployment instructions on Kubernetes has been created by the community. Refer to [Harbor on Kubernetes](kubernetes_deployment.md) for details.
@ -46,8 +46,14 @@ Offline installer:
Configuration parameters are located in the file **harbor.cfg**.
There are two categories of parameters in harbor.cfg, **required parameters** and **optional parameters**.
* **required parameters**: These parameters are required to be set in the configuration file, and they will take effect if a user updates them in harbor.cfg, rerun the ```install.sh``` script to reinstall Harbor.
* **optional parameters**: These parameters are optional, and only take effect in the initial installation. The user can leave them blank and update them on Web UI after Harbor is started. Subsequent update to these parameters in ```harbor.cfg``` will be ignored.
* **required parameters**: These parameters are required to be set in the configuration file. They will take effect if a user updates them in ```harbor.cfg``` and run the ```install.sh``` script to reinstall Harbor.
* **optional parameters**: These parameters are optional. If they are set in ```harbor.cfg```, they only take effect in the first launch of Harbor.
Subsequent update to these parameters in ```harbor.cfg``` will be ignored.
The user can leave them blank and update them on Web UI after Harbor is started.
**Note:** If you choose to set these parameters via the UI, be sure to do so right after Harbor
is started. In particular, you must set the desired **auth_mode** before registering or creating any new users in Harbor. When there are users in the system (besides the default admin user),
**auth_mode** cannot be changed.
The parameters are described below - note that at the very least, you will need to change the **hostname** attribute.
@ -72,7 +78,11 @@ The parameters are described below - note that at the very least, you will need
* email_ssl = false
* **harbor_admin_password**: The administrator's initial password. This password only takes effect for the first time Harbor launches. After that, this setting is ignored and the administrator's password should be set in the UI. _Note that the default username/password are **admin/Harbor12345** ._
* **auth_mode**: The type of authentication that is used. By default, it is **db_auth**, i.e. the credentials are stored in a database. For LDAP authentication, set this to **ldap_auth**.
* **auth_mode**: The type of authentication that is used. By default, it is **db_auth**, i.e. the credentials are stored in a database.
For LDAP authentication, set this to **ldap_auth**.
**IMPORTANT:** When upgrading from an existing Harbor instance, you must make sure **auth_mode** is the same in ```harbor.cfg``` before launching the new version of Harbor. Otherwise, users
may not be able to log in after the upgrade.
* **ldap_url**: The LDAP endpoint URL (e.g. `ldaps://ldap.mydomain.com`). _Only used when **auth_mode** is set to *ldap_auth* ._
* **ldap_searchdn**: The DN of a user who has the permission to search an LDAP/AD server (e.g. `uid=admin,ou=people,dc=mydomain,dc=com`).
* **ldap_search_pwd**: The password of the user specified by *ldap_searchdn*.
@ -110,14 +120,14 @@ _NOTE: For detailed information on storage backend of a registry, refer to [Regi
#### Finishing installation and starting Harbor
Once **harbor.cfg** and storage backend (optional) are configured, install and start Harbor using the ```install.sh``` script. Note that it may take some time for the online installer to download Harbor images from Docker hub.
##### Default installation
After version 1.1.0, Harbor has integrated with Notary, but by default the installation does not include notary support.
##### Default installation (without Notary)
After version 1.1.0, Harbor has integrated with Notary, but by default the installation does not include Notary service.
```sh
$ sudo ./install.sh
```
If everything worked properly, you should be able to open a browser to visit the admin portal at **http://reg.yourdomain.com** (change *reg.yourdomain.com* to the hostname configured in your harbor.cfg). Note that the default administrator username/password are admin/Harbor12345 .
If everything worked properly, you should be able to open a browser to visit the admin portal at **http://reg.yourdomain.com** (change *reg.yourdomain.com* to the hostname configured in your ```harbor.cfg```). Note that the default administrator username/password are admin/Harbor12345 .
Log in to the admin portal and create a new project, e.g. `myproject`. You can then use docker commands to login and push images (By default, the registry server listens on port 80):
```sh
@ -127,13 +137,13 @@ $ docker push reg.yourdomain.com/myproject/myrepo:mytag
**IMPORTANT:** The default installation of Harbor uses _HTTP_ - as such, you will need to add the option `--insecure-registry` to your client's Docker daemon and restart the Docker service.
##### Installation with Notary
To install Harbor with Notary support, add a parameter when you run ```install.sh```
To install Harbor with Notary service, add a parameter when you run ```install.sh```:
```sh
$ sudo ./install.sh --with-notary
```
**Note**: For installation with Notary the parameter "ui_url_protocol" must be set to "https", for configuring HTTPS certificate please refer to the following sections.
**Note**: For installation with Notary the parameter **ui_url_protocol** must be set to "https". For configuring HTTPS please refer to the following sections.
More information about Notary and Docker Content Trust, please refer to docker's documentation:
More information about Notary and Docker Content Trust, please refer to Docker's documentation:
https://docs.docker.com/engine/security/trust/content_trust/
For information on how to use Harbor, please refer to **[User Guide of Harbor](user_guide.md)** .
@ -166,7 +176,7 @@ Starting registry ... done
Starting proxy ... done
```
To change Harbor's configuration, first stop existing Harbor instance, update harbor.cfg, and then run prepare script to populate the configuration, and then re-create and start Harbor's instance:
To change Harbor's configuration, first stop existing Harbor instance and update ```harbor.cfg```. Then run ```prepare``` script to populate the configuration. Finally re-create and start Harbor's instance:
```
$ sudo docker-compose down -v
$ vim harbor.cfg
@ -187,11 +197,11 @@ $ rm -r /data/registry
#### _Managing lifecycle of Harbor when it's installed with Notary_
When Harbor is installed with Notary, user needs to add extra template file ```docker-compose.notary.yml``` to docker-compose command, so the docker-compose commands to manage the lifecycle of Harbor will be:
When Harbor is installed with Notary, an extra template file ```docker-compose.notary.yml``` is needed for docker-compose commands. The docker-compose commands to manage the lifecycle of Harbor are:
```
$ sudo docker-compose -f ./docker-compose.yml -f ./docker-compose.notary.yml [ up|down|ps|stop|start ]
```
For example, if user want's to change ```harbor.cfg``` and re-deploy Harbor when it's installed with Notary, the following commands should be used:
For example, if you want to change configuration in ```harbor.cfg``` and re-deploy Harbor when it's installed with Notary, the following commands should be used:
```sh
$ sudo docker-compose -f ./docker-compose.yml -f ./docker-compose.notary.yml down -v
$ vim harbor.cfg
@ -202,7 +212,7 @@ $ sudo docker-compose -f ./docker-compose.yml -f ./docker-compose.notary.yml up
Please check the [Docker Compose command-line reference](https://docs.docker.com/compose/reference/) for more on docker-compose.
### Persistent data and log files
By default, registry data is persisted in the target host's `/data/` directory. This data remains unchanged even when Harbor's containers are removed and/or recreated.
By default, registry data is persisted in the host's `/data/` directory. This data remains unchanged even when Harbor's containers are removed and/or recreated.
In addition, Harbor uses *rsyslog* to collect the logs of each container. By default, these log files are stored in the directory `/var/log/harbor/` on the target host for troubleshooting.

View File

@ -44,10 +44,22 @@ When upgrading your existing Habor instance to a newer version, you may need to
```
7. Unzip the new Harbor package and change to `./harbor` as the working directory. Configure Harbor by modifying the file `harbor.cfg`,
- Configure Harbor by modifying the file `harbor.cfg`,
you may need to refer to the configuration files you've backed up during step 2.
Refer to [Installation & Configuration Guide ](../docs/installation_guide.md) for more information.
Since the content and format of `harbor.cfg` may have been changed in the new release, **DO NOT directly copy `harbor.cfg` from previous version of Harbor.**
**IMPORTANT:** If you are upgrading a Harbor instance with LDAP/AD authentication,
you must make sure **auth_mode** is set to **ldap_auth** in `harbor.cfg` before launching the new version of Harbor. Otherwise, users may not be able to log in after the upgrade.
- To assist you in migrating the `harbor.cfg` file from v0.5.0 to v1.1.x, a script is provided and described as below. For other versions of Harbor, you need to manually migrate the file `harbor.cfg`.
```
cd harbor
./upgrade --source-loc source_harbor_cfg_loc --source-version 0.5.0 --target-loc target_harbor_cfg_loc --target-version 1.1.x
```
**NOTE:** After running the script, make sure you go through `harbor.cfg` to verify all the settings are correct. You can make changes to `harbor.cfg` as needed.
8. Under the directory `./harbor`, run the `./install.sh` script to install the new Harbor instance.
@ -97,4 +109,3 @@ For any reason, if you want to roll back to the previous version of Harbor, foll
- Use `test` command to test mysql connection:
```docker run --rm -e DB_USR=root -e DB_PWD=xxxx -v /data/database:/var/lib/mysql vmware/harbor-db-migrator test```

View File

@ -31,6 +31,7 @@ type LdapUser struct {
Username string `json:"ldap_username"`
Email string `json:"ldap_email"`
Realname string `json:"ldap_realname"`
DN string `json:"-"`
}
//LdapImportUser ...

View File

@ -151,7 +151,7 @@ func ConnectTest(ldapConfs models.LdapConf) error {
var ldapConn *goldap.Conn
var err error
ldapConn, err = dialLDAP(ldapConfs, ldapConn)
ldapConn, err = dialLDAP(ldapConfs)
if err != nil {
return err
@ -175,7 +175,7 @@ func SearchUser(ldapConfs models.LdapConf) ([]models.LdapUser, error) {
var ldapConn *goldap.Conn
var err error
ldapConn, err = dialLDAP(ldapConfs, ldapConn)
ldapConn, err = dialLDAP(ldapConfs)
if err != nil {
return nil, err
@ -217,6 +217,7 @@ func SearchUser(ldapConfs models.LdapConf) ([]models.LdapUser, error) {
u.Email = val
}
}
u.DN = ldapEntry.DN
ldapUsers = append(ldapUsers, u)
}
@ -312,11 +313,25 @@ func ImportUser(user models.LdapUser) (int64, error) {
return UserID, nil
}
func dialLDAP(ldapConfs models.LdapConf, ldap *goldap.Conn) (*goldap.Conn, error) {
// Bind establish a connection to ldap based on ldapConfs and bind the user with given parameters.
func Bind(ldapConfs models.LdapConf, dn string, password string) error {
conn, err := dialLDAP(ldapConfs)
if err != nil {
return err
}
defer conn.Close()
if ldapConfs.LdapSearchDn != "" {
if err := bindLDAPSearchDN(ldapConfs, conn); err != nil {
return err
}
}
return conn.Bind(dn, password)
}
func dialLDAP(ldapConfs models.LdapConf) (*goldap.Conn, error) {
var err error
//log.Debug("ldapConfs.LdapURL:", ldapConfs.LdapURL)
var ldap *goldap.Conn
splitLdapURL := strings.Split(ldapConfs.LdapURL, "://")
protocol, hostport := splitLdapURL[0], splitLdapURL[1]

View File

@ -75,6 +75,12 @@ func (l *Auth) Authenticate(m models.AuthModel) (*models.User, error) {
u.Email = ldapUsers[0].Email
u.Realname = ldapUsers[0].Realname
dn := ldapUsers[0].DN
log.Debugf("username: %s, dn: %s", u.Username, dn)
if err := ldapUtils.Bind(ldapConfs, dn, m.Password); err != nil {
return nil, fmt.Errorf("Failed to bind user, username: %s, dn: %s, error: %v", u.Username, dn, err)
}
exist, err := dao.UserExists(u, "username")
if err != nil {
return nil, err
@ -87,11 +93,6 @@ func (l *Auth) Authenticate(m models.AuthModel) (*models.User, error) {
}
u.UserID = currentUser.UserID
} else {
// u.Password = "12345678AbC"
// u.Comment = "from LDAP."
// if u.Email == "" {
// u.Email = u.Username + "@placeholder.com"
// }
userID, err := ldapUtils.ImportUser(ldapUsers[0])
if err != nil {
log.Errorf("Can't import user %s, error: %v", ldapUsers[0].Username, err)

View File

@ -122,4 +122,10 @@ func TestAuthenticate(t *testing.T) {
if user.Username != "test" {
t.Errorf("unexpected ldap user authenticate fail: %s = %s", "user.Username", user.Username)
}
person.Principal = "test"
person.Password = "1"
_, err = auth.Authenticate(person)
if err == nil {
t.Errorf("Expected error for wrong password")
}
}

View File

@ -29,10 +29,9 @@
</label>
</div>
<div class="form-group">
<label for="ldapSearchDN" class="required">{{'CONFIG.LDAP.SEARCH_DN' | translate}}</label>
<label for="ldapSearchDN" aria-haspopup="true" role="tooltip" class="tooltip tooltip-validation tooltip-md tooltip-top-right" [class.invalid]="ldapSearchDNInput.invalid && (ldapSearchDNInput.dirty || ldapSearchDNInput.touched)">
<label for="ldapSearchDN">{{'CONFIG.LDAP.SEARCH_DN' | translate}}</label>
<label for="ldapSearchDN" aria-haspopup="true" role="tooltip" class="tooltip tooltip-validation tooltip-md tooltip-top-right">
<input name="ldapSearchDN" type="text" #ldapSearchDNInput="ngModel" [(ngModel)]="currentConfig.ldap_search_dn.value"
required
id="ldapSearchDN"
size="40" [disabled]="disabled(currentConfig.ldap_search_dn)">
<span class="tooltip-content">
@ -45,10 +44,9 @@
</a>
</div>
<div class="form-group">
<label for="ldapSearchPwd" class="required">{{'CONFIG.LDAP.SEARCH_PWD' | translate}}</label>
<label for="ldapSearchPwd" aria-haspopup="true" role="tooltip" class="tooltip tooltip-validation tooltip-md tooltip-top-right" [class.invalid]="ldapSearchPwdInput.invalid && (ldapSearchPwdInput.dirty || ldapSearchPwdInput.touched)">
<label for="ldapSearchPwd">{{'CONFIG.LDAP.SEARCH_PWD' | translate}}</label>
<label for="ldapSearchPwd" aria-haspopup="true" role="tooltip" class="tooltip tooltip-validation tooltip-md tooltip-top-right">
<input name="ldapSearchPwd" type="password" #ldapSearchPwdInput="ngModel" [(ngModel)]="currentConfig.ldap_search_password.value"
required
id="ldapSearchPwd"
size="40" [disabled]="disabled(currentConfig.ldap_search_password)">
<span class="tooltip-content">

View File

@ -315,6 +315,9 @@ export class ConfigurationComponent implements OnInit, OnDestroy {
delete ldapSettings['ldap_search_password'];
}
//Fix: Confirm ldap scope is number
ldapSettings['ldap_scope'] = +ldapSettings['ldap_scope'];
this.testingLDAPOnGoing = true;
this.configService.testLDAPServer(ldapSettings)
.then(respone => {
@ -402,6 +405,11 @@ export class ConfigurationComponent implements OnInit, OnDestroy {
if (typeof field.value === "boolean") {
changes[prop] = changes[prop] ? "1" : "0";
}
//Trim string value
if(typeof field.value === "string") {
changes[prop] = (''+changes[prop]).trim();
}
}
}
}

View File

@ -18,13 +18,13 @@ if sys.version_info[:3][0] == 3:
parser = argparse.ArgumentParser()
parser.add_argument('--source-loc', dest='source_loc', type=str,help="the path of Harbor 0.5.0 configuration file")
parser.add_argument('--source-version', dest='source_ver', type=str,help="the Harbor instance is to be deployed with notary")
parser.add_argument('--target-loc', dest='target_loc', type=str,help="the path of Harbor 0.6.0 configuration file")
parser.add_argument('--target-loc', dest='target_loc', type=str,help="the path of Harbor 1.1.x configuration file")
parser.add_argument('--target-version', dest='target_ver', type=str, help="the Harbor instance is to be deployed with notary")
upgrade_args = parser.parse_args()
# NOTE: the script only support to upgrade from 0.5.0.to 0.6.0.
# NOTE: the script only support to upgrade from 0.5.0.to 1.1.x.
def validate():
if upgrade_args.source_ver == '0.5.0' and upgrade_args.target_ver == '0.6.0':
if upgrade_args.source_ver == '0.5.0' and upgrade_args.target_ver == '1.1.x':
return
raise Exception("Unable to support upgrade from %s to %s" % (upgrade_args.source_ver, upgrade_args.target_ver))
@ -84,7 +84,7 @@ def render(src, dest, **kw):
delfile(upgrade_args.target_loc)
base_dir = os.path.dirname(__file__)
config_template = os.path.join(base_dir, "harbor_0_6_0_template")
config_template = os.path.join(base_dir, "harbor_1_1_0_template")
render(config_template,
upgrade_args.target_loc,