Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Multiple Visibility Levels and enforcement Levels for Projects #242

Open
wants to merge 3 commits into
base: main
Choose a base branch
from

Conversation

Vad1mo
Copy link
Member

@Vad1mo Vad1mo commented Jun 12, 2024

This proposal extends Harbor with additional project visibility and permission levels and upgrades the current public/private project visibility and access, making Harbor Suitable for more use cases.

Signed-off-by: Vadim Bauer <1492007+Vad1mo@users.noreply.github.com>
@Vad1mo Vad1mo requested review from a team as code owners June 12, 2024 06:41
@Vad1mo Vad1mo changed the title RFP for Multiple project levels Multiple Visibility Levels and Control for Projects Jun 12, 2024
@Vad1mo Vad1mo changed the title Multiple Visibility Levels and Control for Projects Multiple Visibility Levels and enforcement Levels for Projects Jun 12, 2024
Signed-off-by: Vadim Bauer <1492007+Vad1mo@users.noreply.github.com>
@OrlinVasilev
Copy link
Member

+1

@peter-englmaier
Copy link

Perhaps you want to have a way to explicitly tag users as "internal". So internal projects are not accidentally exposed to customers, who have an account to download software delivered to them. Otherwise, I find the proposal quite useful for larger organisations.

@Vad1mo
Copy link
Member Author

Vad1mo commented Jun 14, 2024

Perhaps you want to have a way to explicitly tag users as "internal". So internal projects are not accidentally exposed to customers, who have an account to download software delivered to them. Otherwise, I find the proposal quite useful for larger organisations.

thank you for your input. This is not in scope for this proposal. In this context, internal does not refer to users but to networks, this would be a separate use case IMO.

Copy link

@tillepille tillepille left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

Comment on lines +44 to +45
users can view and pull artifacts from this project.
But they are not allowed to pull any artifact from this project unless they are explicitly added as members to the project.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe a copy-pasta issue: In 44 you say "users can view and pull". Next line "But they are not allowed to pull".

we want the internal projects
to be visible and accessible inside the organization, but private to the outside.
The same would apply to pulling artifacts,
internally without a pull secret and externally just like a private project with a pull secret.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what means internally / externally in this context?


To handle this the internal use case, we would need
to have a functionality
that can distinguish between access from internal or external networks.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think adding the complexity of networking here makes the proposal bigger than it needs to be.

For me it's about authorizing all authenticated identities to a project by default.

IMHO adding networking brings much complexity and risk with it.

that are explicitly added as members to the project to get access,
based on their access level.
- **Internal View Only**
All authenticated (hence authenticated)

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"hence authenticated", you mean authorized?

add related issue

Signed-off-by: Vadim Bauer <Bauer.vadim@gmail.com>

## Abstract

This proposal extends Harbor with additional project visibility and permission levels, and upgrades the current public/private project visibility and access levels.
Copy link
Contributor

@wy65701436 wy65701436 Aug 1, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Generally, the document lacks of technical parts to let other maintainers know how to handle the newly introduced level?

The scheme changes? And the data migration?
The RBAC mode for the internal project?
API change?
Any downstream impact?

And also, could you add persona? user story?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

8 participants