[upstream] Allow pull from repository only for authenticated users and robot accounts with long lived credentials

Draft issue:

Is your feature request related to a problem? Please describe. In a harbor deployment, administrators may want to allow pull access to all authenticated users for a repository, usually in environments with OIDC or LDAP that the set of users is not known beforehand.

A specific use-case is proxy-cache repositories open to the internet that can potentially create copyright or licencing issues with public registries. For example, dockerhub and other registries have rate limits and if a harbor deployment is open to the internet with a public proxy-cache repo, everyone can bypass protections configured in the public registry.

Another use case is for a private repository in a public harbor registry, allow access to everyone in an organization. Our organization has ~60,000 members.

Possible solutions: One solution that has limitations is, create a private repository and give a catch all group the Limited Guest role. The limitation is that users can not create robot accounts for that repository and their personal OIDC token needs refresh which is a problem for automation CI/CD, access from kubernetes etc.

Another solution is an L7 policy in the LoadBalancers/Ingress but this requires knowledge for all network domain beforehand.

Describe the solution you'd like Two items must be addressed.

a. allow all authenticated users with a new option. (there is the anonymous role https://goharbor.io/docs/main/administration/managing-users/, we can say with an option, reject anonymous) This can be worked around with a catch all users approach, but in my opinion it's a hack.

b. long lived credentials Allow users to create user robot accounts or personal tokens with permisssions granularity. For example gitlab let users create token with specific permissions. Dockerhub allows the creation of personal token but without any granularity on permissions.

I'm happy to dig more into the design, but let's discuss the need for this first.

added A-registry p2 labels

assigned to @strigazi

changed the description

changed title from [upstream] Allow pull from repository only for authenticated users and robot accounts to [upstream] Allow pull from repository only for authenticated users and robot accounts with long lived credentials

changed the description

Opened upstream https://github.com/goharbor/harbor/issues/21441

There is a simlar proposal upstream https://github.com/goharbor/community/pull/242#pullrequestreview-2562657854

@rbritoda Are we closing issues like this? it's being followed upstream.

changed iteration to Kubernetes Sprints Jan 8, 2025 - Jan 21, 2025

removed iteration Kubernetes Sprints Jan 8, 2025 - Jan 21, 2025

backlog, keeping the ticket just to link the upstream open issue.

unassigned @strigazi

mentioned in issue #116 (closed)

I prefer to keep it opened. @strigazi did you get an idea for a timeline of when this would be available?