Skip to content

Proposal: Personal Access Tokens (PAT)#287

Open
rossigee wants to merge 3 commits into
goharbor:mainfrom
rossigee:proposal/personal-access-tokens
Open

Proposal: Personal Access Tokens (PAT)#287
rossigee wants to merge 3 commits into
goharbor:mainfrom
rossigee:proposal/personal-access-tokens

Conversation

@rossigee

Copy link
Copy Markdown

Summary

Proposes Personal Access Tokens (PAT) as a modern, self-service authentication mechanism for Harbor. PATs provide named, time-limited credentials with audit trails, enabling secure CI/CD integration and programmatic access.

Features

  • Self-service token management: Users create, list, update, and delete their own tokens
  • Time-limited credentials: Configurable expiration (days or never-expire)
  • Audit trail: Track token creation, updates, and usage via last_used_at
  • Scoped permissions: Project-level scope enforcement
  • Secure hashing: PBKDF2-SHA256 with per-token salt
  • Backward compatible: Automatic migration of legacy OIDC CLI secrets

Related Work

  • Implementation PR: goharbor/harbor#23370
  • Token format: hbr_pat_ + 32-character random secret
  • Replaces legacy CLI token system with modern alternatives

@rossigee rossigee requested review from a team as code owners June 29, 2026 09:28
rossigee added 3 commits June 29, 2026 16:31
Comprehensive proposal documenting the completed PAT implementation:
- Self-service token management for Harbor users
- Time-limited credentials with configurable expiration
- Token prefix system (hbr_pat_) for identification
- REST API endpoints for CRUD operations and refresh
- Harbor UI dashboard for token management
- Audit trail integration for compliance
- Backward compatibility with legacy CLI tokens
- Full test coverage (12/12 E2E tests passing)

Implementation PR: goharbor/harbor#23370

Signed-off-by: Ross Golder <ross@golder.org>
- Change status from COMPLETED to IN REVIEW
- Update hashing algorithm: SHA256 → PBKDF2-SHA256 (more secure, matches PR)
- Clarify token format: 32-character random secret
- Explicitly reference OIDC CLI secret auto-migration on startup
- Update implementation section headers to reflect IN REVIEW status

Signed-off-by: Ross Golder <ross@golder.org>
- Use standard Discussion field linking to GitHub PR
- Remove non-standard Status/Implementation PR fields
- Condense to template format while preserving implementation details
- Move detailed technical specs to Implementation and References sections
- Follow Harbor community proposal conventions

Signed-off-by: Ross Golder <ross@golder.org>
@rossigee rossigee force-pushed the proposal/personal-access-tokens branch from 7acc79a to eab6197 Compare June 29, 2026 09:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants