Authentication & Authorization

Version Used

Security Filter

Security Filter is a hook to collect the information for authentication and authorization for every request. The information includes

• User information
• Project manager is a manager through whom we can get the detail of all projects such as the members of a project.

type ProjectManager interface {
	Get(projectIDOrName interface{}) (*models.Project, error)
	IsPublic(projectIDOrName interface{}) (bool, error)
	Exist(projectIDOrName interface{}) (bool, error)
	GetRoles(username string, projectIDOrName interface{}) ([]int, error)
	GetPublic() ([]*models.Project, error)
	GetByMember(username string) ([]*models.Project, error)
	Create(*models.Project) (int64, error)
	Delete(projectIDOrName interface{}) error
	Update(projectIDOrName interface{}, project *models.Project) error
	GetAll(query *models.ProjectQueryParam, base ...*models.BaseProjectCollection) ([]*models.Project, error)
	GetTotal(query *models.ProjectQueryParam, base ...*models.BaseProjectCollection) (int64, error)
	GetHasReadPerm(username ...string) ([]*models.Project, error)
}

Because access control in Harbor is based on project, it comes as no surprise that project manager is the essential part of the access control component.

• Security context

The information is stored with Golang's context facility.

Security context

Security context abstracts the operations related with authentication and authorization.

type Context interface {
	IsAuthenticated() bool
	GetUsername() string
	IsSysAdmin() bool
	HasReadPerm(projectIDOrName interface{}) bool
	HasWritePerm(projectIDOrName interface{}) bool
	HasAllPerm(projectIDOrName interface{}) bool
}

It has two implementations

• RBAC Context
• Secret Context

Security context just provides information, it DOES NOT make decision on whether a request is allowed or not. It is typically used by the API package. That means it is controllers that make the decision whether a request is valid or not.

RBAC Context

TBD

Secret Context

TBD

Authentication

Authentication is made through the Authenticator interface which provides 2 implementation at the moment.

• Authentication against database
• Authentication against LDAP server

DB Authenticator

DB Authenticator compares provided password with credential retrieved from database. Authentication Logic

LDAP Authenticator

LDAP authenticator retrieve credential from LDAP server. Besides, Harbor needs to keep track of extra information about the user. Thus associated user record will be added into the database by importing it from LDAP