Merge ceb8ec7 into 5836b1e

docs/import_vulnerability_data.md

@@ -1,6 +1,6 @@
 ## Update an offline Harbor instance with new vulnerability data
 
-Harbor has integrated with Clair to scan vulnerabilities in images. When Harbor is installed in an environment without internet connection, Clair cannot fetch data from the public vulnerability database. Under this circumstance, Harbor administrator needs to manually update the Clair database.
+Harbor has integrated with Clair to scan vulnerabilities in images. When Harbor is installed in an environment without internet connection, Clair cannot fetch data from the public vulnerability database. Under this circumstance, Harbor system administrator needs to manually update the Clair database.
 
 This document provides step-by-step instructions on updating Clair vulnerability database in Harbor.
 

docs/installation_guide.md

@@ -1,4 +1,4 @@
-# Installation and Configuration Guide
+# Harbor Installation and Configuration Guide
 
 There are two possibilities when installing Harbor.
 
@@ -72,10 +72,34 @@ The installation procedure involves the following steps:
 2. Configure the **harbor.yml** file.
 3. Run the **install.sh** script with the appropriate options to install and start Harbor.
 
-## Download the Installer
+## Download and Unpack the Installer
 
 1. Go to the [Harbor releases page](https://github.com/goharbor/harbor/releases). 
-1. Select either the online or offline installer for the version you want to install.
+1. Download either the online or offline installer for the version you want to install.
+1. Optionally download the corresponding `*.asc` file to verify that the package is genuine. 
+
+   The `*.asc` file is an OpenPGP key file. Perform the following steps to verify that the downloaded bundle is genuine. 
+
+   1. Obtain the public key for the `*.asc` file.
+
+      <pre>gpg --keyserver hkps://keyserver.ubuntu.com --receive-keys 644FF454C0B4115C</pre>
+      
+      You should see the message ` public key "Harbor-sign (The key for signing Harbor build) <jiangd@vmware.com>" imported`
+   1. Verify that the package is genuine by running one of the following commands.
+
+      - Online installer: <pre>gpg -v --keyserver hkps://keyserver.ubuntu.com --verify harbor-online-installer-<i>version</i>.tgz.asc</pre>
+      - Offline installer: <pre>gpg -v --keyserver hkps://keyserver.ubuntu.com --verify harbor-offline-installer-<i>version</i>.tgz.asc</pre>
+
+      The `gpg` command verifies that the signature of the bundle matches that of the `*.asc` key file. You should see confirmation that the signature is correct.
+
+      <pre>
+      gpg: armor header: Version: GnuPG v1
+      gpg: assuming signed data in 'harbor-offline-installer-v1.10.0-rc2.tgz'
+      gpg: Signature made Fri, Dec  6, 2019  5:04:17 AM WEST
+      gpg:                using RSA key 644FF454C0B4115C
+      gpg: using pgp trust model
+      gpg: Good signature from "Harbor-sign (The key for signing Harbor build) &lt;jiangd@vmware.com&gt; [unknown]
+      </pre>
 1. Use `tar` to extract the installer package:
 
    - Online installer:<pre>bash $ tar xvf harbor-online-installer-<em>version</em>.tgz</pre>
@@ -133,7 +157,7 @@ You can use certificates that are signed by a trusted third-party CA, or you can
   <tr>
     <td valign="top"><code>harbor_admin_password</code></td>
     <td valign="top">None</td>
-    <td valign="top">Set an initial password for the Harbor administrator. This password is only used on the first time that Harbor starts. On subsequent logins, this setting is ignored and the administrator's password is set in the Harbor Portal. The default username and password are <code>admin</code> and <code>Harbor12345</code>.</td>
+    <td valign="top">Set an initial password for the Harbor system administrator. This password is only used on the first time that Harbor starts. On subsequent logins, this setting is ignored and the administrator's password is set in the Harbor Portal. The default username and password are <code>admin</code> and <code>Harbor12345</code>.</td>
   </tr>
   <tr>
     <td valign="top"><code>database</code></td>
@@ -406,7 +430,7 @@ storage_service:
 ```
 
 
-## Installating and starting Harbor
+## Installing and starting Harbor
 
 Once you have configured **harbor.yml** optionally set up a storage backend, you install and start Harbor by using the `install.sh` script. Note that it might take some time for the online installer to download all of the `Harbor images from Docker hub.
 
@@ -435,8 +459,6 @@ $ docker login reg.yourdomain.com
 $ docker push reg.yourdomain.com/myproject/myrepo:mytag
 ```
 
-**IMPORTANT:** If your installation of Harbor uses HTTP, you must add the option `--insecure-registry` to your client's Docker daemon and restart the Docker service.
-
 ### Installation with Notary
 
 To install Harbor with the Notary service, add the `--with-notary` parameter when you run `install.sh`:
@@ -475,6 +497,31 @@ If you want to install all three of Notary, Clair and chart repository service,
     $ sudo ./install.sh --with-notary --with-clair --with-chartmuseum
 ```
 
+<a id="connect_http"></a>
+## Connecting to Harbor via HTTP
+
+**IMPORTANT:** If your installation of Harbor uses HTTP rather than HTTPS, you must add the option `--insecure-registry` to your client's Docker daemon. By default, the daemon file is located at `/etc/docker/daemon.json`.
+
+For example, add the following to your `daemon.json` file:
+
+<pre>
+{
+"insecure-registries" : ["<i>myregistrydomain.com</i>:5000", "0.0.0.0"]
+}
+</pre>
+
+After you update `daemon.json`, you must restart both Docker Engine and Harbor.
+
+1. Restart Docker Engine.
+
+   `systemctl restart docker`
+1. Stop Harbor.
+
+   `docker-compose down -v`
+1. Restart Harbor.
+
+   `docker-compose up -d`
+
 ## Using Harbor
 
 For information on how to use Harbor, see the **[Harbor User Guide](user_guide.md)** .

docs/manage_role_by_ldap_group.md

@@ -1,57 +1,12 @@
 ## Introduction
 
-This guide provides instructions to manage roles by LDAP/AD group. You can import an LDAP/AD group to Harbor and assign project roles to it. All LDAP/AD users in this LDAP/AD group have assigned roles.
+You can import an LDAP/AD group to Harbor and assign project roles to it. All LDAP/AD users in this LDAP/AD group have assigned roles.
 
-## Prerequisite
-
-1. Harbor's auth_mode is ldap_auth and **[basic LDAP configure parameters](https://github.com/vmware/harbor/blob/master/docs/installation_guide.md#optional-parameters)** are configured.
-1. Memberof overlay
-
-    This feature requires the LDAP/AD server enabled the feature **memberof overlay**. 
-    With this feature, the LDAP/AD user entity's attribute **memberof** is updated when the group entity's **member** attribute is updated. For example, adding or removing an LDAP/AD user from the LDAP/AD group.
-
-    * OpenLDAP -- Refer this **[guide](https://technicalnotes.wordpress.com/2014/04/19/openldap-setup-with-memberof-overlay/)** to enable and verify **memberof overlay**
-    * Active Directory -- this feature is enabled by default.
-
-## Configure LDAP group settings
-
-Besides **[basic LDAP configure parameters](https://github.com/vmware/harbor/blob/master/docs/installation_guide.md#optional-parameters)** , LDAP group related configure parameters should be configured, they can be configured before or after installation
-
-  1. Configure LDAP parameters via API, refer to **[Config Harbor user settings by command line](configure_user_settings.md)**
+**NOTE**: Information about how to configure LDAP Groups in the Harbor interface has migrated to the [Harbor User Guide](user_guide.md).
+
+To configure LDAP parameters via the API, see **[Configure Harbor User Settings from the Command Line](configure_user_settings.md)**
 
 For example:
 ```
 curl -X PUT -u "<username>:<password>" -H "Content-Type: application/json" -ki https://harbor.sample.domain/api/configurations -d'{"ldap_group_basedn":"ou=groups,dc=example,dc=com"}'
-```   
-The following parameters are related to LDAP group configuration.
-   * ldap_group_basedn -- The base DN from which to lookup a group in LDAP/AD, for example: ou=groups,dc=example,dc=com
-   * ldap_group_filter -- The filter to search LDAP/AD group, for example: objectclass=groupOfNames 
-   * ldap_group_gid    -- The attribute used to name an LDAP/AD group, for example: cn 
-   * ldap_group_scope  -- The scope to search for LDAP/AD groups. 0-LDAP_SCOPE_BASE, 1-LDAP_SCOPE_ONELEVEL, 2-LDAP_SCOPE_SUBTREE 
-
-  2. Or change configure parameter in web console after installation. Go to "Administration" -> "Configuration" -> "Authentication" and change following settings.
-   - LDAP Group Base DN -- ldap_group_basedn in the Harbor user settings
-   - LDAP Group Filter  -- ldap_group_filter in the Harbor user settings
-   - LDAP Group GID     -- ldap_group_gid in the Harbor user settings
-   - LDAP Group Scope   -- ldap_group_scope in the Harbor user settings
-   - LDAP Groups With Admin Privilege -- Specify an LDAP/AD group DN, all LDAPA/AD users in this group have harbor admin privileges.
-
-![Screenshot of LDAP group config](img/group/ldap_group_config.png)
-
-## Assign project role to LDAP/AD group
-
-In "Project" -> "Members" -> "+ GROUP".
-
-![Screenshot of add group](img/group/ldap_group_addgroup.png)
-
-You can "Add an existing user group to project member" or "Add a group from LDAP to project member".
-
-![Screenshot of add group dialog](img/group/ldap_group_addgroup_dialog.png)
-
-Once an LDAP group is assigned a project role, log in with an LDAP/AD user in this group, the user should have the privilege of its group role.
-
-If a user is in the LDAP groups with admin privilege (ldap_group_admin_dn), the user should have the same privileges with Harbor admin.
-
-## User privileges and group privileges
-
-If a user has both user-level role and group-level role, these privileges are merged together.
+```

docs/permissions.md

@@ -29,6 +29,8 @@ The following table depicts the various user permission levels in a project.
 | Pull image                              | ✓             | ✓     | ✓         | ✓      | ✓             |
 | Push image                              |               |       | ✓         | ✓      | ✓             |
 | Scan/delete image                       |               |       |           | ✓      | ✓             |
+| Add scanners to Harbor                  |               |       |           |       |               |
+| Edit scanners in projects               |               |       |           |         | ✓             |
 | See a list of image vulnerabilities     | ✓             | ✓     | ✓         | ✓      | ✓             |
 | See image build history                 | ✓             | ✓     | ✓         | ✓      | ✓             |
 | Add/Remove labels of image              |               |       | ✓         | ✓      | ✓             |
@@ -48,7 +50,9 @@ The following table depicts the various user permission levels in a project.
 | Enable/disable webhooks                 |               |       | ✓         | ✓      | ✓             |
 | Create/delete tag retention rules       |               |       | ✓         | ✓      | ✓             |
 | Enable/disable tag retention rules      |               |       | ✓         | ✓      | ✓             |
+| Create/delete tag immutability rules       |               |       |          |       | ✓             |
+| Enable/disable tag immutability rules      |               |       |          |       | ✓             |
 | See project quotas                      | ✓             | ✓     | ✓         | ✓      | ✓             |
-| Edit project quotas                     |               |       |           |        |               |
-
+| Edit project quotas  *                   |               |       |           |        |               |
 
+* Only the Harbor system administrator can edit project quotas and add new scanners.