Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Make it possible to disable all "public" functionality #12306

Open
zimmski opened this issue Jun 22, 2020 · 9 comments
Open

Make it possible to disable all "public" functionality #12306

zimmski opened this issue Jun 22, 2020 · 9 comments
Assignees
Labels
kind/requirement New feature or idea on top of harbor

Comments

@zimmski
Copy link

zimmski commented Jun 22, 2020

If someone is using Harbor as a private registry only, no public projects/images, there are still multiple things that are not secure by default because they are publicly available or easy to misconfigure.

Therefore, my proposal aims at making Harbor "secure by default" in the sense of disabling as much as possible for public access by default and allowing administrators to enable/disable certain features. I guess it would make sense to split these tasks into multiple issues, but I want to first start a discussion on what could be done, because I am sure I overlooked things. If these items are OK for the maintainers I offer that we (https://symflower.com) could also implement in time some of them if necessary but we want to make sure that upstream is OK with it first.

Currently the following things should be disabled by default for the public facing login:

  • Make the whole Harbor instance non-public by default. There should be an option that enables "public" features, e.g. if this is enabled a user can create "public" projects but if it not enabled the option "public" does simply not exist for the whole instance.
  • Disable the search-functionality and make it an option to enable it. Currently I can search and keep the database/application busy without a logged in account. In case someone misconfigured a project an attacker could also easily find images to pull. I am sure that there are Harbor instances out there where I can do that.
  • Remove the default "library" project. It is public by default. Let the first-time-install-administrator add its own projects and not forget to "delete library.
  • Disable information about Harbor for the public facing pages: Remove the "About" page for public access. It should be not that easy to find the version of an instance. Also the "More info..." link is unnecessary.
@ninjadq ninjadq added the kind/requirement New feature or idea on top of harbor label Jun 29, 2020
@jan-from-meiro
Copy link

@zimmski besides it's not by default is there even any way to disable these without a necessity of building it from source?

@zimmski
Copy link
Author

zimmski commented Dec 22, 2020

@xaleeks We are still willing to work on these items. Please let me know what you want to do and how to move forwad. I want to avoid creating PRs that are then not accepted that force us to do a fork. I know these situations all too well and i know how busy maintainers are (if you look at my profile you can see that i have the same problem right now).

@jan-from-meiro no. That is exactly the problem.

@yottapanda
Copy link

yottapanda commented Nov 2, 2021

I'd like to bump this. An outward facing, unauthenticated search field is a huge attack surface.

@slushysnowman
Copy link
Contributor

Yeah this is a pretty big thing and really needs to be addressed, basically at the moment you can't guarantee as someone running Harbor that everything is private and secure. If a user misconfigures their project, or clicks on 'public' accidentally, then suddenly their images can be pulled by the entire world.

The documentation is also very misleading on what a 'Public' project is:
Public: Any user can pull images from this project. This is a convenient way for you to share repositories with others.

Saying 'user' here implies an onboarded user of Harbor, not any random person on the internet, which seems to actually be the case. This should be corrected to highlight that this allows images to be pulled by anyone.

@github-actions
Copy link

github-actions bot commented Jul 7, 2022

This issue is being marked stale due to a period of inactivity. If this issue is still relevant, please comment or remove the stale label. Otherwise, this issue will close in 30 days.

@github-actions github-actions bot added the Stale label Jul 7, 2022
@slushysnowman
Copy link
Contributor

This should definitely not be stale, this is 100% still relevant - anyone wanting to run Harbor as a private registry should be concerned about the fact that project admins can set their project public by themselves, with no override possible.

You can say that a solution is to not give out project admin permission - yes, but then a lot of the key features and self-service stuff, like robot account creation is lost. So that's not a solution IMO.

@github-actions github-actions bot removed the Stale label Jul 8, 2022
@qnetter
Copy link
Contributor

qnetter commented Aug 30, 2022

I agree this is an important idea. It will almost definitely not fit in 2.7, but if anyone wants to work on it and change that, please volunteer.

@petterroea
Copy link

petterroea commented Nov 16, 2023

I also want this. I am using Harbor as a private repo for images I do not want publically(why would i host my own images if they are public, there are plenty of free hosting alternatives out there for public images).

A switch to completely disable all unauthenticated access would be great. I am an idiot and I will make mistakes. I want to idiotproof my registry for myself.

@Tonkari
Copy link

Tonkari commented Dec 6, 2024

We also need this. We run Harbor for users that should not be allowed to create public repositories. While we have told everyone, we need to enforce this somehow. currently we run a script that sets all projects to private every minute.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/requirement New feature or idea on top of harbor
Projects
None yet
Development

No branches or pull requests

9 participants