diff --git a/docs/administration/robot-accounts/_index.md b/docs/administration/robot-accounts/_index.md index d79da9b00..fa43eb947 100644 --- a/docs/administration/robot-accounts/_index.md +++ b/docs/administration/robot-accounts/_index.md @@ -5,39 +5,27 @@ weight: 40 Harbor v2.2 introduces the capability for administrators to create system robot accounts you can use you run automated actions in your Harbor instances. System robot accounts allow you to use a robot account to perform maintenance or repeated tasks across all or a subset of projects in your Harbor instance. -For each system robot account you are able to assign the following permissions, - -* List Repository -* Pull Repository -* Push Repository -* Delete Repository -* Read Artifact -* List Artifact -* Delete Artifact -* Create Artifact Label -* Delete Artifact Label -* Create Tag -* Delete Tag -* List Tag -* Create Scan -* Stop Scan - -Depending on your needs you can assign a combination of these permissions to a system robot account to perform your desired tasks through the OCI client or Harbor API. Robot Accounts cannot log in to the Harbor interface. - -You are also able create project scope robot account that only have access to a single project. Read more about [project robot accounts](../../working-with-projects/project-configuration/create-robot-accounts/). +For each system robot account you are able to assign the system permissions and specify the projects it covers. And for each of the specified projects you are able to assign the project permissions + +You can refer to the [**Permission References**](#permission-references) to assign a combination of these permissions to a system robot account to perform your desired tasks through the OCI client or Harbor API. Robot Accounts cannot log in to the Harbor interface. + +You are also able to create project scope robot account that only have access to a single project. Read more about [project robot accounts](../../working-with-projects/project-configuration/create-robot-accounts/). ## View System Robot Accounts 1. Log into your harbor instance as an administrator. 1. Go to **Robot Accounts** item under **Administration**. -![System robot account page](../../img/system-robot-account-page.png) +![System robot account page](../../img/robotaccount/system-robot-account-page.png) This page lists all available system robot accounts for your Harbor instance. The table lists the following information for each system robot account, * The name of a system account. This is derived from robot account prefix configured for your Harbor instance and the name assigned to the account when it was created. A robot account name follows the format ``. If you use the search function on this page, you only need to search for the account name without the prefix. * Enabled status shows if an account is enabled or deactivated. -* The number of projects an account is associated with. To see a full list of the projects an account is associated with, click on the **Project(s)** link. +* The number of system permissions an account is assigned to. To see a full set of the assigned system permissions, click on the **PERMISSIONS** link. + + ![View all the system permissions](../../img/robotaccount/view-system-permissions.png) +* The number of projects an account is associated with. To see a full list of the projects an account is associated with, click on the **PROJECT(S)** link. ![View list of all projects associated with a system robot account](../../img/list-robot-account-projects.png) @@ -52,15 +40,16 @@ This page lists all available system robot accounts for your Harbor instance. Th 1. Go to **Administration**, select a project, and select **Robot Accounts**. 1. Click **New Robot Account**. - ![Create system robot account window](../../img/create-system-robot-account.png) + ![Create system robot account window](../../img/robotaccount/create-system-robot-account-step1.png) 1. Enter a name and an optional description for this robot account. 1. Set Expiration time for this robot account. By default the configured system default expiration time is used. You can also select **Never Expired** from the dropdown if you want to create a never expiring robot account. -1. Select **Cover all projects** if you want to use this system robot account across all projects. Using this option means that this system robot account will be able to access all existing and future projects in your Harbor instance. You can use the **Permissions(s)** dropdown to select which permission to grant to the robot account. - ![Cover all projects and select permissions from the dropdown](../../img/cover-all-projeects-robot-account.png) +1. Select the system permissions for this robot account. +1. Select **Cover all projects** if you want to use this system robot account across all projects. Using this option means that this system robot account will be able to access all existing and future projects in your Harbor instance. You can select which permission to grant to the robot account. + ![Cover all projects and select permissions](../../img/robotaccount/cover-all-project-and-select-permissions.png) 1. If you want this robot account to only cover certain projects or be granted certain permissions, use the project table to select the projects and permissions you want to assign to the system robot account. This table shows the each project name, the project creation time, and a dropdown list of permissions to assign the system robot account for that project. - ![Project table for assigning robot accounts](../../img/project-table-robot-account.png) + ![Project table for assigning robot accounts](../../img/robotaccount/project-table-robot-account.png) Click the checkbox next to the project name to associate this robot account. @@ -74,16 +63,16 @@ This page lists all available system robot accounts for your Harbor instance. Th {{< /note >}} - ![](../../img/set-robot-account-permissions.png) + ![Set project permission](../../img/robotaccount/set-project-permissions.png) - Click the **Reset Permissions** dropdown to control which permissions are available for each project. Selecting or unselecting a permission will add or remove the permission for every project. Using this option will adjust permissions for all projects, not just the projects shown if you have filtered for a specific project name. + Click the **Reset All Project Permissions** dropdown to control which permissions are available for each project. Selecting or unselecting a permission will add or remove the permission for every project. Using this option will adjust permissions for all projects, not just the projects shown if you have filtered for a specific project name. - ![Reset robot account permissions](../../img/reset-robot-account-permissions.png) + ![Reset robot account permissions](../../img/robotaccount/reset-robot-permissions.png) - Click **Select All** to associate the system robot account with all of the projects shown in the table. If you are filtering by project name, this option will only select the filtered projects. + Click **Select All Projects** to associate the system robot account with all of the projects shown in the table. If you are filtering by project name, this option will only select the filtered projects. -1. Click **Add**. +1. Click **FINISH**. 1. In the confirmation window, click **Export to File** to download the secret as a JSON file, or click the clipboard icon to copy its contents to the clipboard. @@ -147,3 +136,130 @@ docker login Username: Password: ``` + + +## Permission References + +The below tables explain what a robot account can do with a specified permission. + +#### System permissions + +| Permission (an action + a resource) | Abilities | +|:-----------------------------------------------|:---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| List Audit log (audit-log) | 1. GET [/audit-logs](https://github.com/goharbor/harbor/blob/323e11fefba181fd982b9773dacefa44b2ef0ca0/api/v2.0/swagger.yaml#L1611) | +| Read Catalog (catalog) | 1. GET /v2/_catalog | +| Read Garbage Collection (garbage-collection) | 1. GET [/system/gc/{gc_id}/log](https://github.com/goharbor/harbor/blob/323e11fefba181fd982b9773dacefa44b2ef0ca0/api/v2.0/swagger.yaml#L4216)
2. GET [/system/gc/schedule](https://github.com/goharbor/harbor/blob/323e11fefba181fd982b9773dacefa44b2ef0ca0/api/v2.0/swagger.yaml#L4244) | +| List Garbage Collection (garbage-collection) | 1. GET [/system/gc](https://github.com/goharbor/harbor/blob/323e11fefba181fd982b9773dacefa44b2ef0ca0/api/v2.0/swagger.yaml#L4141) | +| Create Garbage Collection (garbage-collection) | 1. POST [/system/gc/schedule](https://github.com/goharbor/harbor/blob/323e11fefba181fd982b9773dacefa44b2ef0ca0/api/v2.0/swagger.yaml#L4263) | +| Stop Garbage Collection (garbage-collection) | 1. PUT [/system/gc/{gc_id}](https://github.com/goharbor/harbor/blob/323e11fefba181fd982b9773dacefa44b2ef0ca0/api/v2.0/swagger.yaml#L4196) | +| Update Garbage Collection (garbage-collection) | 1. PUT [/system/gc/schedule](https://github.com/goharbor/harbor/blob/323e11fefba181fd982b9773dacefa44b2ef0ca0/api/v2.0/swagger.yaml#L4291) | +| List Job Service Monitor (jobservice-monitor) | 1. GET [/jobservice/pools](https://github.com/goharbor/harbor/blob/323e11fefba181fd982b9773dacefa44b2ef0ca0/api/v2.0/swagger.yaml#L4641)
2. GET [/jobservice/pools/{pool_id}/workers](https://github.com/goharbor/harbor/blob/323e11fefba181fd982b9773dacefa44b2ef0ca0/api/v2.0/swagger.yaml#L466)
3. GET [/jobservice/jobs/{job_id}/log](https://github.com/goharbor/harbor/blob/323e11fefba181fd982b9773dacefa44b2ef0ca0/api/v2.0/swagger.yaml#L4717)
4. GET [/jobservice/queues](https://github.com/goharbor/harbor/blob/323e11fefba181fd982b9773dacefa44b2ef0ca0/api/v2.0/swagger.yaml#L4750) | +| Stop Job Service Monitor (jobservice-monitor) | 1. PUT [/jobservice/jobs/{job_id}](https://github.com/goharbor/harbor/blob/323e11fefba181fd982b9773dacefa44b2ef0ca0/api/v2.0/swagger.yaml#L4692)
2. PUT [/jobservice/queues/{job_type}](https://github.com/goharbor/harbor/blob/323e11fefba181fd982b9773dacefa44b2ef0ca0/api/v2.0/swagger.yaml#L4774) | +| Read Label (label) | 1. GET [/labels/{global_label_id}](https://github.com/goharbor/harbor/blob/323e11fefba181fd982b9773dacefa44b2ef0ca0/api/v2.0/swagger.yaml#L5869) | +| Create Label (label) | 1. POST [/labels?scope=g](https://github.com/goharbor/harbor/blob/323e11fefba181fd982b9773dacefa44b2ef0ca0/api/v2.0/swagger.yaml#L5836) | +| Update Label (label) | 1. PUT [/labels/{global_label_id}](https://github.com/goharbor/harbor/blob/323e11fefba181fd982b9773dacefa44b2ef0ca0/api/v2.0/swagger.yaml#L5890) | +| Delete Label (label) | 1. DELETE [/labels/{global_label_id}](https://github.com/goharbor/harbor/blob/323e11fefba181fd982b9773dacefa44b2ef0ca0/api/v2.0/swagger.yaml#L5919) | +| Read Preheat Instance (preheat-instance) | 1. POST [/preheat/instances/ping](https://github.com/goharbor/harbor/blob/323e11fefba181fd982b9773dacefa44b2ef0ca0/api/v2.0/swagger.yaml#L1706)
2. GET [/p2p/preheat/instances/{preheat_instance_name}](https://github.com/goharbor/harbor/blob/323e11fefba181fd982b9773dacefa44b2ef0ca0/api/v2.0/swagger.yaml#L1799) | +| List Preheat Instance (preheat-instance) | 1. GET [/p2p/preheat/providers](https://github.com/goharbor/harbor/blob/323e11fefba181fd982b9773dacefa44b2ef0ca0/api/v2.0/swagger.yaml#L1680)
2. GET [/p2p/preheat/instances](https://github.com/goharbor/harbor/blob/323e11fefba181fd982b9773dacefa44b2ef0ca0/api/v2.0/swagger.yaml#L1733) | +| Create Preheat Instance (preheat-instance) | 1. POST [/p2p/preheat/instances](https://github.com/goharbor/harbor/blob/323e11fefba181fd982b9773dacefa44b2ef0ca0/api/v2.0/swagger.yaml#L1769) | +| Update Preheat Instance (preheat-instance) | 1. PUT [/p2p/preheat/instances/{preheat_instance_name}](https://github.com/goharbor/harbor/blob/323e11fefba181fd982b9773dacefa44b2ef0ca0/api/v2.0/swagger.yaml#L1843) | +| Delete Preheat Instance (preheat-instance) | 1. DELETE [/p2p/preheat/instances/{preheat_instance_name}](https://github.com/goharbor/harbor/blob/323e11fefba181fd982b9773dacefa44b2ef0ca0/api/v2.0/swagger.yaml#L1823) | +| List Project (project) | 1. GET [/projects](https://github.com/goharbor/harbor/blob/323e11fefba181fd982b9773dacefa44b2ef0ca0/api/v2.0/swagger.yaml#L272) | +| Create Project (project) | 1. POST [/projects](https://github.com/goharbor/harbor/blob/323e11fefba181fd982b9773dacefa44b2ef0ca0/api/v2.0/swagger.yaml#L343) | +| Read Purge Audit (purge-audit) | 1. GET [/system/purgeaudit/{purge_id}/log](https://github.com/goharbor/harbor/blob/323e11fefba181fd982b9773dacefa44b2ef0ca0/api/v2.0/swagger.yaml#L4394)
2. GET [/system/purgeaudit/schedule](https://github.com/goharbor/harbor/blob/323e11fefba181fd982b9773dacefa44b2ef0ca0/api/v2.0/swagger.yaml#L4421)
3. GET [/system/purgeaudit/{purge_id}](https://github.com/goharbor/harbor/blob/323e11fefba181fd982b9773dacefa44b2ef0ca0/api/v2.0/swagger.yaml#L4351) | +| List Purge Audit (purge-audit) | 1. GET [/system/purgeaudit](https://github.com/goharbor/harbor/blob/323e11fefba181fd982b9773dacefa44b2ef0ca0/api/v2.0/swagger.yaml#L4318) | +| Create Purge Audit (purge-audit) | 1. POST [/system/purgeaudit/schedule](https://github.com/goharbor/harbor/blob/323e11fefba181fd982b9773dacefa44b2ef0ca0/api/v2.0/swagger.yaml#L4440) | +| Stop Purge Audit (purge-audit) | 1. PUT [/system/purgeaudit/{purge_id}](https://github.com/goharbor/harbor/blob/323e11fefba181fd982b9773dacefa44b2ef0ca0/api/v2.0/swagger.yaml#L4373) | +| Update Purge Audit (purge-audit) | 1. PUT [system/purgeaudit/schedule](https://github.com/goharbor/harbor/blob/323e11fefba181fd982b9773dacefa44b2ef0ca0/api/v2.0/swagger.yaml#L4470) | +| Read Registry (registry) | 1. POST [/registries/ping](https://github.com/goharbor/harbor/blob/f99a619bc676ba614048c5a84cf0598adc79519f/api/v2.0/swagger.yaml#L3855)
2. GET [/registries/{id}](https://github.com/goharbor/harbor/blob/f99a619bc676ba614048c5a84cf0598adc79519f/api/v2.0/swagger.yaml#L3883)
3. GET [/registries/{id}/info](https://github.com/goharbor/harbor/blob/f99a619bc676ba614048c5a84cf0598adc79519f/api/v2.0/swagger.yaml#L3971) | +| List Registry (registry) | 1. GET [/registries](https://github.com/goharbor/harbor/blob/f99a619bc676ba614048c5a84cf0598adc79519f/api/v2.0/swagger.yaml#L3817) | +| Create Registry (registry) | 1. POST [/registries](https://github.com/goharbor/harbor/blob/f99a619bc676ba614048c5a84cf0598adc79519f/api/v2.0/swagger.yaml#L3790) | +| Update Registry (registry) | 1. PUT [/registries/{id}](https://github.com/goharbor/harbor/blob/f99a619bc676ba614048c5a84cf0598adc79519f/api/v2.0/swagger.yaml#L3937) | +| Delete Registry (registry) | 1. DELETE [/registries/{id}](https://github.com/goharbor/harbor/blob/f99a619bc676ba614048c5a84cf0598adc79519f/api/v2.0/swagger.yaml#L3910) | +| Read Replication (replication) | 1. GET [/replication/executions/{id}](https://github.com/goharbor/harbor/blob/f99a619bc676ba614048c5a84cf0598adc79519f/api/v2.0/swagger.yaml#L3605)
2. GET [/replication/executions/{id}/tasks/{task_id}/log](https://github.com/goharbor/harbor/blob/f99a619bc676ba614048c5a84cf0598adc79519f/api/v2.0/swagger.yaml#L3706) | +| List Replication (replication) | 1. GET [/replication/executions](https://github.com/goharbor/harbor/blob/f99a619bc676ba614048c5a84cf0598adc79519f/api/v2.0/swagger.yaml#L3533)
2. GET [/replication/executions/{id}/tasks](https://github.com/goharbor/harbor/blob/f99a619bc676ba614048c5a84cf0598adc79519f/api/v2.0/swagger.yaml#L3658) | +| Create Replication (replication) | 1. POST [/replication/executions](https://github.com/goharbor/harbor/blob/f99a619bc676ba614048c5a84cf0598adc79519f/api/v2.0/swagger.yaml#L3579)
2. PUT [/replication/executions/{id}](https://github.com/goharbor/harbor/blob/f99a619bc676ba614048c5a84cf0598adc79519f/api/v2.0/swagger.yaml#L3632) | +| List Replication Adapter (replication-adapter) | 1. GET [/replication/adapters](https://github.com/goharbor/harbor/blob/f99a619bc676ba614048c5a84cf0598adc79519f/api/v2.0/swagger.yaml#L3746)
2. GET [/replication/adapterinfos](https://github.com/goharbor/harbor/blob/f99a619bc676ba614048c5a84cf0598adc79519f/api/v2.0/swagger.yaml#L3768) | +| Read Replication Policy (replication-policy) | 1. GET [/replication/policies/{id}](https://github.com/goharbor/harbor/blob/f99a619bc676ba614048c5a84cf0598adc79519f/api/v2.0/swagger.yaml#L3447) | +| List Replication Policy (replication-policy) | 1. GET [/replication/policies](https://github.com/goharbor/harbor/blob/f99a619bc676ba614048c5a84cf0598adc79519f/api/v2.0/swagger.yaml#L3382) | +| Create Replication Policy (replication-policy) | 1. POST [/replication/policies](https://github.com/goharbor/harbor/blob/f99a619bc676ba614048c5a84cf0598adc79519f/api/v2.0/swagger.yaml#L3419) | +| Update Replication Policy (replication-policy) | 1. PUT [/replication/policies/{id}](https://github.com/goharbor/harbor/blob/f99a619bc676ba614048c5a84cf0598adc79519f/api/v2.0/swagger.yaml#L3499) | +| Delete Replication Policy (replication-policy) | 1. DELETE [/replication/policies/{id}](https://github.com/goharbor/harbor/blob/f99a619bc676ba614048c5a84cf0598adc79519f/api/v2.0/swagger.yaml#L3472) | +| Read Scan All (scan-all) | 1. GET [/scans/all/metrics](https://github.com/goharbor/harbor/blob/f99a619bc676ba614048c5a84cf0598adc79519f/api/v2.0/swagger.yaml#L3999)
2. GET [/scans/schedule/metrics](https://github.com/goharbor/harbor/blob/f99a619bc676ba614048c5a84cf0598adc79519f/api/v2.0/swagger.yaml#L4021) | +| Create Scan All (scan-all) | 1. POST [/system/scanAll/schedule](https://github.com/goharbor/harbor/blob/f99a619bc676ba614048c5a84cf0598adc79519f/api/v2.0/swagger.yaml#L4591) | +| Stop Scan All (scan-all) | 1. POST [/system/scanAll/stop](https://github.com/goharbor/harbor/blob/f99a619bc676ba614048c5a84cf0598adc79519f/api/v2.0/swagger.yaml#L4621) | +| Update Scan All (scan-all) | 1. PUT [/system/scanAll/schedule](https://github.com/goharbor/harbor/blob/f99a619bc676ba614048c5a84cf0598adc79519f/api/v2.0/swagger.yaml#L4564) | +| Read Scanner (scanner) | 1. POST [/scanners/ping](https://github.com/goharbor/harbor/blob/f99a619bc676ba614048c5a84cf0598adc79519f/api/v2.0/swagger.yaml#L5295)
2. GET [/scanners/{registration_id}](https://github.com/goharbor/harbor/blob/f99a619bc676ba614048c5a84cf0598adc79519f/api/v2.0/swagger.yaml#L5322)
3. GET [/scanners/{registration_id}/metadata](https://github.com/goharbor/harbor/blob/f99a619bc676ba614048c5a84cf0598adc79519f/api/v2.0/swagger.yaml#L5436) | +| List Scanner (scanner) | 1. GET [/scanners](https://github.com/goharbor/harbor/blob/f99a619bc676ba614048c5a84cf0598adc79519f/api/v2.0/swagger.yaml#L5229) | +| Create Scanner (scanner) | 1. POST [/scanners](https://github.com/goharbor/harbor/blob/f99a619bc676ba614048c5a84cf0598adc79519f/api/v2.0/swagger.yaml#L5264) | +| Update Scanner (scanner) | 1. PUT [/scanners/{registration_id}](https://github.com/goharbor/harbor/blob/f99a619bc676ba614048c5a84cf0598adc79519f/api/v2.0/swagger.yaml#L5349) | +| Delete Scanner (scanner) | 1. DELETE [/scanners/{registration_id}](https://github.com/goharbor/harbor/blob/f99a619bc676ba614048c5a84cf0598adc79519f/api/v2.0/swagger.yaml#L5380) | +| Read Security Hub (security-hub) | 1. GET [/security/summary](https://github.com/goharbor/harbor/blob/f99a619bc676ba614048c5a84cf0598adc79519f/api/v2.0/swagger.yaml#L6056) | +| List Security Hub (security-hub) | 1. GET [/security/vul](https://github.com/goharbor/harbor/blob/f99a619bc676ba614048c5a84cf0598adc79519f/api/v2.0/swagger.yaml#L6091) | +| Read System Volumes (system-volumes) | 1. GET [/systeminfo/volumes](https://github.com/goharbor/harbor/blob/f99a619bc676ba614048c5a84cf0598adc79519f/api/v2.0/swagger.yaml#L4061) | + + +#### Project permissions + +| Permission (an action + a resource) | Abilities | +|:-------------------------------------------------|:----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| List Accessory (accessory) | 1. GET [/projects/{project_name}/repositories/{repository_name}/artifacts/{reference}/accessories](https://github.com/goharbor/harbor/blob/f99a619bc676ba614048c5a84cf0598adc79519f/api/v2.0/swagger.yaml#L1348) | +| Read Artifact (artifact) | 1. GET [/projects/{project_name}/repositories/{repository_name}/artifacts/{reference}](https://github.com/goharbor/harbor/blob/f99a619bc676ba614048c5a84cf0598adc79519f/api/v2.0/swagger.yaml#L1067) | +| List Artifact (artifact) | 1. GET [/projects/{project_name}/repositories/{repository_name}/artifacts](https://github.com/goharbor/harbor/blob/f99a619bc676ba614048c5a84cf0598adc79519f/api/v2.0/swagger.yaml#L961) | +| Create Artifact (artifact) | 1. POST [/projects/{project_name}/repositories/{repository_name}/artifacts](https://github.com/goharbor/harbor/blob/f99a619bc676ba614048c5a84cf0598adc79519f/api/v2.0/swagger.yaml#L1036) | +| Delete Artifact (artifact) | 1. DELETE [/projects/{project_name}/repositories/{repository_name}/artifacts/{reference}](https://github.com/goharbor/harbor/blob/f99a619bc676ba614048c5a84cf0598adc79519f/api/v2.0/swagger.yaml#L1133) | +| Read Artifact Addition (artifact-addition) | 1. GET [/projects/{project_name}/repositories/{repository_name}/artifacts/{reference}/additions/vulnerabilities](https://github.com/goharbor/harbor/blob/f99a619bc676ba614048c5a84cf0598adc79519f/api/v2.0/swagger.yaml#L1388)
2. GET [/projects/{project_name}/repositories/{repository_name}/artifacts/{reference}/additions/{addition}](https://github.com/goharbor/harbor/blob/f99a619bc676ba614048c5a84cf0598adc79519f/api/v2.0/swagger.yaml#L1420) | +| Create Artifact Label (artifact-label) | 1. POST [/projects/{project_name}/repositories/{repository_name}/artifacts/{reference}/labels](https://github.com/goharbor/harbor/blob/f99a619bc676ba614048c5a84cf0598adc79519f/api/v2.0/swagger.yaml#L1457) | +| Delete Artifact Label (artifact-label) | 1. DELETE [/projects/{project_name}/repositories/{repository_name}/artifacts/{reference}/labels/{label_id}](https://github.com/goharbor/harbor/blob/f99a619bc676ba614048c5a84cf0598adc79519f/api/v2.0/swagger.yaml#L1490) | +| List Immutable Tag (immutable-tag) | 1. GET [/projects/{project_name_or_id}/immutabletagrules](https://github.com/goharbor/harbor/blob/f99a619bc676ba614048c5a84cf0598adc79519f/api/v2.0/swagger.yaml#L2396) | +| Create Immutable Tag (immutable-tag) | 1. POST [/projects/{project_name_or_id}/immutabletagrules](https://github.com/goharbor/harbor/blob/f99a619bc676ba614048c5a84cf0598adc79519f/api/v2.0/swagger.yaml#L2433) | +| Update Immutable Tag (immutable-tag) | 1. PUT [/projects/{project_name_or_id}/immutabletagrules/{immutable_rule_id}](https://github.com/goharbor/harbor/blob/f99a619bc676ba614048c5a84cf0598adc79519f/api/v2.0/swagger.yaml#L2463) | +| Delete Immutable Tag (immutable-tag) | 1. DELETE [/projects/{project_name_or_id}/immutabletagrules/{immutable_rule_id}](https://github.com/goharbor/harbor/blob/f99a619bc676ba614048c5a84cf0598adc79519f/api/v2.0/swagger.yaml#L2489) | +| Read Label (label) | 1. GET [/labels/{project_label_id}](https://github.com/goharbor/harbor/blob/f99a619bc676ba614048c5a84cf0598adc79519f/api/v2.0/swagger.yaml#L5869) | +| List Label (label) | 1. GET [/labels?scope=p&project_id={project_id}](https://github.com/goharbor/harbor/blob/f99a619bc676ba614048c5a84cf0598adc79519f/api/v2.0/swagger.yaml#L5787) | +| Create Label (label) | 1. POST [/labels?scope=p&project_id={project_id}](https://github.com/goharbor/harbor/blob/f99a619bc676ba614048c5a84cf0598adc79519f/api/v2.0/swagger.yaml#L5836) | +| Update Label (label) | 1. PUT [/labels/{project_label_id}](https://github.com/goharbor/harbor/blob/f99a619bc676ba614048c5a84cf0598adc79519f/api/v2.0/swagger.yaml#L5890) | +| Delete Label (label) | 1. DELETE [/labels/{project_label_id}](https://github.com/goharbor/harbor/blob/f99a619bc676ba614048c5a84cf0598adc79519f/api/v2.0/swagger.yaml#L5919) | +| List Log (log) | 1. GET [/projects/{project_name}/logs](https://github.com/goharbor/harbor/blob/2984c2e04b3b3194cabb44470d0e37acc4b1d5c9/api/v2.0/swagger.yaml#L1646) | +| Read Project Metadata (metadata) | 1. GET [/projects/{project_name_or_id}/metadatas/{meta_name}](https://github.com/goharbor/harbor/blob/2984c2e04b3b3194cabb44470d0e37acc4b1d5c9/api/v2.0/swagger.yaml#L715) | +| List Project Metadata (metadata) | 1. GET [/projects/{project_name_or_id}/metadatas](https://github.com/goharbor/harbor/blob/2984c2e04b3b3194cabb44470d0e37acc4b1d5c9/api/v2.0/swagger.yaml#L656) | +| Create Project Metadata (metadata) | 1. POST [/projects/{project_name_or_id}/metadatas](https://github.com/goharbor/harbor/blob/2984c2e04b3b3194cabb44470d0e37acc4b1d5c9/api/v2.0/swagger.yaml#L683) | +| Update Project Metadata (metadata) | 1. PUT [/projects/{project_name_or_id}/metadatas/{meta_name}](https://github.com/goharbor/harbor/blob/2984c2e04b3b3194cabb44470d0e37acc4b1d5c9/api/v2.0/swagger.yaml#L747) | +| Delete Project Metadata (metadata) | 1. DELETE [/projects/{project_name_or_id}/metadatas/{meta_name}](https://github.com/goharbor/harbor/blob/2984c2e04b3b3194cabb44470d0e37acc4b1d5c9/api/v2.0/swagger.yaml#L783) | +| Read Notification Policy (notification-policy) | 1. GET [/projects/{project_name_or_id}/webhook/policies/{webhook_policy_id}](https://github.com/goharbor/harbor/blob/2984c2e04b3b3194cabb44470d0e37acc4b1d5c9/api/v2.0/swagger.yaml#L2584)
2. GET [/projects/{project_name_or_id}/webhook/lasttrigger](https://github.com/goharbor/harbor/blob/2984c2e04b3b3194cabb44470d0e37acc4b1d5c9/api/v2.0/swagger.yaml#L2787)
3. GET [/projects/{project_name_or_id}/webhook/events](https://github.com/goharbor/harbor/blob/2984c2e04b3b3194cabb44470d0e37acc4b1d5c9/api/v2.0/swagger.yaml#L2867)
4. GET [/projects/{project_name_or_id}/webhook/policies/{webhook_policy_id}/executions](https://github.com/goharbor/harbor/blob/2984c2e04b3b3194cabb44470d0e37acc4b1d5c9/api/v2.0/swagger.yaml#L2668)
5. GET [/projects/{project_name_or_id}/webhook/policies/{webhook_policy_id}/executions/{execution_id}/tasks](https://github.com/goharbor/harbor/blob/2984c2e04b3b3194cabb44470d0e37acc4b1d5c9/api/v2.0/swagger.yaml#L2709)
6. GET [/projects/{project_name_or_id}/webhook/policies/{webhook_policy_id}/executions/{execution_id}/tasks/{task_id}/log](https://github.com/goharbor/harbor/blob/2984c2e04b3b3194cabb44470d0e37acc4b1d5c9/api/v2.0/swagger.yaml#L2750) | +| List Notification Policy (notification-policy) | 1. GET [/projects/{project_name_or_id}/webhook/policies](https://github.com/goharbor/harbor/blob/2984c2e04b3b3194cabb44470d0e37acc4b1d5c9/api/v2.0/swagger.yaml#L2511)
2. GET [/projects/{project_name_or_id}/webhook/jobs](https://github.com/goharbor/harbor/blob/2984c2e04b3b3194cabb44470d0e37acc4b1d5c9/api/v2.0/swagger.yaml#L2815) | +| Create Notification Policy (notification-policy) | 1. POST [/projects/{project_name_or_id}/webhook/policies](https://github.com/goharbor/harbor/blob/2984c2e04b3b3194cabb44470d0e37acc4b1d5c9/api/v2.0/swagger.yaml#L2548) | +| Update Notification Policy (notification-policy) | 1. PUT [/projects/{project_name_or_id}/webhook/policies/{webhook_policy_id}](https://github.com/goharbor/harbor/blob/2984c2e04b3b3194cabb44470d0e37acc4b1d5c9/api/v2.0/swagger.yaml#L2611) | +| Delete Notification Policy (notification-policy) | 1. DELETE [/projects/{project_name_or_id}/webhook/policies/{webhook_policy_id}](https://github.com/goharbor/harbor/blob/2984c2e04b3b3194cabb44470d0e37acc4b1d5c9/api/v2.0/swagger.yaml#L2642) | +| Read Preheat Policy (preheat-policy) | 1. GET [/projects/{project_name}/preheat/policies/{preheat_policy_name}](https://github.com/goharbor/harbor/blob/2984c2e04b3b3194cabb44470d0e37acc4b1d5c9/api/v2.0/swagger.yaml#L1936)
2. POST [/projects/{project_name}/preheat/policies/{preheat_policy_name}](https://github.com/goharbor/harbor/blob/2984c2e04b3b3194cabb44470d0e37acc4b1d5c9/api/v2.0/swagger.yaml#L1992)
3. GET [/projects/{project_name}/preheat/policies/{preheat_policy_name}/executions/{execution_id}](https://github.com/goharbor/harbor/blob/2984c2e04b3b3194cabb44470d0e37acc4b1d5c9/api/v2.0/swagger.yaml#L2084)
4. GET [/projects/{project_name}/preheat/policies/{preheat_policy_name}/executions/{execution_id}/tasks/{task_id}/logs](https://github.com/goharbor/harbor/blob/2984c2e04b3b3194cabb44470d0e37acc4b1d5c9/api/v2.0/swagger.yaml#L2181) | +| List Preheat Policy (preheat-policy) | 1. GET [/projects/{project_name}/preheat/policies](https://github.com/goharbor/harbor/blob/2984c2e04b3b3194cabb44470d0e37acc4b1d5c9/api/v2.0/swagger.yaml#L1900)
2. GET [/projects/{project_name}/preheat/providers](https://github.com/goharbor/harbor/blob/2984c2e04b3b3194cabb44470d0e37acc4b1d5c9/api/v2.0/swagger.yaml#L2215) | +| Create Preheat Policy (preheat-policy) | 1. POST [/projects/{project_name}/preheat/policies](https://github.com/goharbor/harbor/blob/2984c2e04b3b3194cabb44470d0e37acc4b1d5c9/api/v2.0/swagger.yaml#L1872) | +| Update Preheat Policy (preheat-policy) | 1. PUT [/projects/{project_name}/preheat/policies/{preheat_policy_name}](https://github.com/goharbor/harbor/blob/2984c2e04b3b3194cabb44470d0e37acc4b1d5c9/api/v2.0/swagger.yaml#L1961)
2. PATCH [/projects/{project_name}/preheat/policies/{preheat_policy_name}/executions/{execution_id}](https://github.com/goharbor/harbor/blob/2984c2e04b3b3194cabb44470d0e37acc4b1d5c9/api/v2.0/swagger.yaml#L2110) | +| Delete Preheat Policy (preheat-policy) | 1. DELETE [/projects/{project_name}/preheat/policies/{preheat_policy_name}](https://github.com/goharbor/harbor/blob/2984c2e04b3b3194cabb44470d0e37acc4b1d5c9/api/v2.0/swagger.yaml#L2021) | +| Read Project (project) | 1. GET [/projects/{project_name_or_id}](https://github.com/goharbor/harbor/blob/2984c2e04b3b3194cabb44470d0e37acc4b1d5c9/api/v2.0/swagger.yaml#L370) | +| Update Project (project) | 1. PUT [/projects/{project_name_or_id}](https://github.com/goharbor/harbor/blob/2984c2e04b3b3194cabb44470d0e37acc4b1d5c9/api/v2.0/swagger.yaml#L389) | +| Delete Project (project) | 1. DELETE [/projects/{project_name_or_id}](https://github.com/goharbor/harbor/blob/2984c2e04b3b3194cabb44470d0e37acc4b1d5c9/api/v2.0/swagger.yaml#L418)
2. GET [/projects/{project_name_or_id}/_deletable](https://github.com/goharbor/harbor/blob/2984c2e04b3b3194cabb44470d0e37acc4b1d5c9/api/v2.0/swagger.yaml#L442) | +| Read Repository (repository) | 1. GET [/projects/{project_name}/repositories/{repository_name}](https://github.com/goharbor/harbor/blob/2984c2e04b3b3194cabb44470d0e37acc4b1d5c9/api/v2.0/swagger.yaml#L883) | +| List Repository (repository) | 1. GET [/projects/{project_name}/repositories](https://github.com/goharbor/harbor/blob/2984c2e04b3b3194cabb44470d0e37acc4b1d5c9/api/v2.0/swagger.yaml#L845) | +| Update Repository (repository) | 1. PUT [/projects/{project_name}/repositories/{repository_name}](https://github.com/goharbor/harbor/blob/2984c2e04b3b3194cabb44470d0e37acc4b1d5c9/api/v2.0/swagger.yaml#L908) | +| Delete Repository (repository) | 1. DELETE [/projects/{project_name}/repositories/{repository_name}](https://github.com/goharbor/harbor/blob/2984c2e04b3b3194cabb44470d0e37acc4b1d5c9/api/v2.0/swagger.yaml#L937) | +| Pull Repository (repository) | 1. Pull artifacts from the project | +| Push Repository (repository) | 1. Push artifacts to the project | +| Read Scan (scan) | 1. GET [/projects/{project_name}/repositories/{repository_name}/artifacts/{reference}/scan/{report_id}/log](https://github.com/goharbor/harbor/blob/2984c2e04b3b3194cabb44470d0e37acc4b1d5c9/api/v2.0/swagger.yaml#L1206) | +| Create Scan (scan) | 1. POST [/projects/{project_name}/repositories/{repository_name}/artifacts/{reference}/scan](https://github.com/goharbor/harbor/blob/2984c2e04b3b3194cabb44470d0e37acc4b1d5c9/api/v2.0/swagger.yaml#L1156) | +| Stop Scan (scan) | 1. POST [/projects/{project_name}/repositories/{repository_name}/artifacts/{reference}/scan/stop](https://github.com/goharbor/harbor/blob/2984c2e04b3b3194cabb44470d0e37acc4b1d5c9/api/v2.0/swagger.yaml#L1181) | +| Read Scanner (scanner) | 1. GET [/projects/{project_name_or_id}/scanner](https://github.com/goharbor/harbor/blob/2984c2e04b3b3194cabb44470d0e37acc4b1d5c9/api/v2.0/swagger.yaml#L1521) | +| Create Scanner (scanner) | 1. PUT [/projects/{project_name_or_id}/scanner](https://github.com/goharbor/harbor/blob/2984c2e04b3b3194cabb44470d0e37acc4b1d5c9/api/v2.0/swagger.yaml#L1546)
2. GET [/projects/{project_name_or_id}/scanner/candidates](https://github.com/goharbor/harbor/blob/2984c2e04b3b3194cabb44470d0e37acc4b1d5c9/api/v2.0/swagger.yaml#L1575) | +| List Tag (tag) | 1. GET [/projects/{project_name}/repositories/{repository_name}/artifacts/{reference}/tags](https://github.com/goharbor/harbor/blob/2984c2e04b3b3194cabb44470d0e37acc4b1d5c9/api/v2.0/swagger.yaml#L1272) | +| Create Tag (tag) | 1. POST [/projects/{project_name}/repositories/{repository_name}/artifacts/{reference}/tags](https://github.com/goharbor/harbor/blob/2984c2e04b3b3194cabb44470d0e37acc4b1d5c9/api/v2.0/swagger.yaml#L1238) | +| Delete Tag (tag) | 1. DELETE [/projects/{project_name}/repositories/{repository_name}/artifacts/{reference}/tags/{tag_name}](https://github.com/goharbor/harbor/blob/2984c2e04b3b3194cabb44470d0e37acc4b1d5c9/api/v2.0/swagger.yaml#L1324) | +| Read Tag Retention (tag-retention) | 1. GET [/retentions/{id}](https://github.com/goharbor/harbor/blob/2984c2e04b3b3194cabb44470d0e37acc4b1d5c9/api/v2.0/swagger.yaml#L4925)
2. GET [/retentions/{id}/executions/{eid}/tasks/{tid}](https://github.com/goharbor/harbor/blob/2984c2e04b3b3194cabb44470d0e37acc4b1d5c9/api/v2.0/swagger.yaml#L5188) | +| List Tag Retention (tag-retention) | 1. GET [/retentions/{id}/executions](https://github.com/goharbor/harbor/blob/2984c2e04b3b3194cabb44470d0e37acc4b1d5c9/api/v2.0/swagger.yaml#L5044)
2. GET [/retentions/{id}/executions/{eid}/tasks](https://github.com/goharbor/harbor/blob/2984c2e04b3b3194cabb44470d0e37acc4b1d5c9/api/v2.0/swagger.yaml#L5133) | +| Create Tag Retention (tag-retention) | 1. POST [/retentions](https://github.com/goharbor/harbor/blob/2984c2e04b3b3194cabb44470d0e37acc4b1d5c9/api/v2.0/swagger.yaml#L4895) | +| Update Tag Retention (tag-retention) | 1. PUT [/retentions/{id}](https://github.com/goharbor/harbor/blob/2984c2e04b3b3194cabb44470d0e37acc4b1d5c9/api/v2.0/swagger.yaml#L4950)
2. POST [/retentions/{id}/executions](https://github.com/goharbor/harbor/blob/2984c2e04b3b3194cabb44470d0e37acc4b1d5c9/api/v2.0/swagger.yaml#L5009)
3 PATCH [/retentions/{id}/executions/{eid}](https://github.com/goharbor/harbor/blob/2984c2e04b3b3194cabb44470d0e37acc4b1d5c9/api/v2.0/swagger.yaml#L5093) | +| Delete Tag Retention (tag-retention) | 1. DELETE [/retentions/{id}](https://github.com/goharbor/harbor/blob/2984c2e04b3b3194cabb44470d0e37acc4b1d5c9/api/v2.0/swagger.yaml#L4981) | + + +{{< note >}} +Public APIs are not included in the tables above because they can be accessed by any robot account +{{< /note >}} diff --git a/docs/img/add-robot-account-2.png b/docs/img/add-robot-account-2.png deleted file mode 100644 index a493b2c32..000000000 Binary files a/docs/img/add-robot-account-2.png and /dev/null differ diff --git a/docs/img/cover-all-projeects-robot-account.png b/docs/img/cover-all-projeects-robot-account.png deleted file mode 100644 index ec74fb3ce..000000000 Binary files a/docs/img/cover-all-projeects-robot-account.png and /dev/null differ diff --git a/docs/img/permissions-link.png b/docs/img/permissions-link.png deleted file mode 100644 index 69ccf8f1e..000000000 Binary files a/docs/img/permissions-link.png and /dev/null differ diff --git a/docs/img/project-table-robot-account.png b/docs/img/project-table-robot-account.png deleted file mode 100644 index 1c8a0817d..000000000 Binary files a/docs/img/project-table-robot-account.png and /dev/null differ diff --git a/docs/img/robotaccount/cover-all-project-and-select-permissions.png b/docs/img/robotaccount/cover-all-project-and-select-permissions.png new file mode 100644 index 000000000..551f1670b Binary files /dev/null and b/docs/img/robotaccount/cover-all-project-and-select-permissions.png differ diff --git a/docs/img/robotaccount/create-project-robot-step1.png b/docs/img/robotaccount/create-project-robot-step1.png new file mode 100644 index 000000000..d63f805dc Binary files /dev/null and b/docs/img/robotaccount/create-project-robot-step1.png differ diff --git a/docs/img/robotaccount/create-project-robot-step2.png b/docs/img/robotaccount/create-project-robot-step2.png new file mode 100644 index 000000000..7f65d4e84 Binary files /dev/null and b/docs/img/robotaccount/create-project-robot-step2.png differ diff --git a/docs/img/robotaccount/create-system-robot-account-step1.png b/docs/img/robotaccount/create-system-robot-account-step1.png new file mode 100644 index 000000000..3f9900ba7 Binary files /dev/null and b/docs/img/robotaccount/create-system-robot-account-step1.png differ diff --git a/docs/img/robotaccount/project-permission-candidates.png b/docs/img/robotaccount/project-permission-candidates.png new file mode 100644 index 000000000..d9c444ede Binary files /dev/null and b/docs/img/robotaccount/project-permission-candidates.png differ diff --git a/docs/img/robotaccount/project-table-robot-account.png b/docs/img/robotaccount/project-table-robot-account.png new file mode 100644 index 000000000..6d83d6a1c Binary files /dev/null and b/docs/img/robotaccount/project-table-robot-account.png differ diff --git a/docs/img/robotaccount/reset-robot-permissions.png b/docs/img/robotaccount/reset-robot-permissions.png new file mode 100644 index 000000000..ce4f6f271 Binary files /dev/null and b/docs/img/robotaccount/reset-robot-permissions.png differ diff --git a/docs/img/robotaccount/set-project-permissions.png b/docs/img/robotaccount/set-project-permissions.png new file mode 100644 index 000000000..c5b863436 Binary files /dev/null and b/docs/img/robotaccount/set-project-permissions.png differ diff --git a/docs/img/robotaccount/system-robot-account-page.png b/docs/img/robotaccount/system-robot-account-page.png new file mode 100644 index 000000000..aff44a30b Binary files /dev/null and b/docs/img/robotaccount/system-robot-account-page.png differ diff --git a/docs/img/robotaccount/view-system-permissions.png b/docs/img/robotaccount/view-system-permissions.png new file mode 100644 index 000000000..d077ab4ab Binary files /dev/null and b/docs/img/robotaccount/view-system-permissions.png differ diff --git a/docs/img/system-robot-account-page.png b/docs/img/system-robot-account-page.png deleted file mode 100644 index cf28e7137..000000000 Binary files a/docs/img/system-robot-account-page.png and /dev/null differ diff --git a/docs/working-with-projects/project-configuration/create-robot-accounts.md b/docs/working-with-projects/project-configuration/create-robot-accounts.md index 37ec9be0b..5de91bbd7 100644 --- a/docs/working-with-projects/project-configuration/create-robot-accounts.md +++ b/docs/working-with-projects/project-configuration/create-robot-accounts.md @@ -5,20 +5,7 @@ weight: 40 Harbor allows you to use a project robot account to automate running operations for a project including, -* List Repository -* Pull Repository -* Push Repository -* Delete Repository -* Read Artifact -* List Artifact -* Delete Artifact -* Create Artifact Label -* Delete Artifact Label -* Create Tag -* Delete Tag -* List Tag -* Create Scan -* Stop Scan +![Project permission candidates](../../../img/robotaccount/project-permission-candidates.png) A project robot account authenticates to your Harbor instance using a secret, allowing you to connect to your Harbor instance through the OCI client or Harbor API to automate tasks. Robot Accounts cannot log in to the Harbor interface. @@ -40,9 +27,6 @@ This page lists all available project robot accounts for a project. The table li * The name of the robot account. This is derived from robot account prefix configured for your Harbor instance, the project name, and the name assigned to the robot account when it was created. A robot account name follows the format `+`. If you use the search function on this page, you only need to search for the account name without the prefix. * The enabled status shows if an account is enabled or deactivated. * Click the **Permission(s)** dropdown to view the permissions granted to the robot account. - -![View a project robot account permissions](../../../img/permissions-link.png) - * The created time shows when the robot account was created. * The time until the project robot account expires. This is calculated based on the created time and the expiration time set when creating the project robot account. * The description of the project robot account. @@ -56,14 +40,15 @@ You are only able to see project robot accounts from this page. Harbor administr 1. Click **New Robot Account**. 1. Enter a name and an optional description for this robot account. 1. Set expiration time for this robot account, you can also select checkbox **Never Expired** if you want to create a never expiring robot account. -1. Click **Permission(s)** to grant permission to the robot account. You can use the **Select All** and **Unselect All** buttons to quickly add or remove all permissions from a robot account. +1. Go to the next step to grant permissions to the robot account. You can refer to the [**Permission References**](../../administration/robot-accounts/_index.md#permission-references) to assign a combination of the project permissions to this robot account.You can use the **Select All** and **Unselect All** buttons to quickly add or remove all permissions from a robot account. {{< note >}}The **Push Repository** permission must be assigned with the **Pull Repository** permission. You are not able to assign the Push Repository permission by itself. {{< /note >}} - ![Add a robot account](../../../img/add-robot-account-2.png) + ![Add a robot account step 1](../../../img/robotaccount/create-project-robot-step1.png) + ![Add a robot account step 2](../../../img/robotaccount/create-project-robot-step1.png) -1. Click **Add**. +1. Click **FINISH**. 1. In the confirmation window, click **Export to File** to download the access token as a JSON file, or click the clipboard icon to copy its contents to the clipboard. ![copy_robot_account_token](../../../img/copy-robot-account-token.png)