Enforcing Authentication for Public Projects

[shriknd]

Hi Harbor Community,

We are currently using an internet-facing Harbor registry in our organization. public projects allows anyone to pull images without authentication, which poses security concerns. I would like to know how we can enforce authentication to ensure only authorized users can pull images from our public project.

Specifically, my questions are:

1. What are the best practices for enforcing authentication on public projects in an internet-facing Harbor registry?
2. Are there any specific configurations or features in Harbor that can help restrict access to authorized users only, even for public projects?

Any guidance or recommendations would be greatly appreciated.

Thank you!

[Vad1mo]

The solution is simple and effective. Don't make projects public!

I would like to know how we can enforce authentication to ensure only authorized users can pull images from our public project.

Make the project private, that requires using authentication.

There are some options to keep project private.

• If you don't want your users to make projects public, run a cron job outside harbor to sets all project to private.
• you can also do it on the DB level (stored procedure that changes all public to private)
• Create projects for users (no self-service)
• Set up gitops workflow, where users can need to request project. The admin teams approve projects and can reject public project if needed, also enforce quota.

Options are (kind of) endless

Having said that, there is currently an RFP pending that addresses a similar concern: Enable / disable anonymous access #124

Please go ahead and vote for that, if you think it would solve your problem.

[wy65701436]

Allowing anonymous access to public resources is a common practice, similar to other SaaS platforms like Docker Hub. That's why we offer both public and private access levels.

If you want to restrict access to your project, just set it to private.