Skip to content

Proposal: Probe-Based Authentication Dispatch#288

Open
rossigee wants to merge 5 commits into
goharbor:mainfrom
rossigee:proposal/probe-based-auth-dispatch
Open

Proposal: Probe-Based Authentication Dispatch#288
rossigee wants to merge 5 commits into
goharbor:mainfrom
rossigee:proposal/probe-based-auth-dispatch

Conversation

@rossigee

Copy link
Copy Markdown

Summary

Proposes replacing Harbor's single-backend auth_mode configuration with a flexible per-backend matching system. Fixes critical production issues: admin lockout when OIDC provider is unavailable, security vulnerability with locked users, and registry proxy bypassing per-user permissions.

Problems Solved

  1. Admin lockout in OIDC mode — If OIDC provider fails, admin access is completely lost with no fallback to database auth
  2. Security bug: locked users authenticate as nil — Locked accounts bypass authorization checks
  3. Registry proxy ignores user credentials — Per-user permissions are bypassed; all requests proxied as service account
  4. HTTP Auth Proxy mode broken — Configuration option exists but is non-functional

Solution

  • Per-backend Match() interface for flexible dispatch
  • OIDC mode + database fallback (admin always accessible)
  • Probe-based registry auth detection (Bearer or Basic)
  • User credential passthrough with per-scope token caching
  • Secure handling of locked users

Related Work

  • Implementation PR: goharbor/harbor#23458
  • Related issues: #1572, #13372, #21300, #7965, #7964, #21853
  • Organized into 16 commits across 3 logical units in Harbor PR

Backward Compatibility

✅ All existing auth_mode values continue to work
✅ No configuration changes required
✅ No database migrations needed
✅ Additive security and reliability improvements

rossigee added 5 commits June 29, 2026 16:31
Comprehensive proposal documenting the completed PAT implementation:
- Self-service token management for Harbor users
- Time-limited credentials with configurable expiration
- Token prefix system (hbr_pat_) for identification
- REST API endpoints for CRUD operations and refresh
- Harbor UI dashboard for token management
- Audit trail integration for compliance
- Backward compatibility with legacy CLI tokens
- Full test coverage (12/12 E2E tests passing)

Implementation PR: goharbor/harbor#23370

Signed-off-by: Ross Golder <ross@golder.org>
Proposes refactoring Harbor's authentication system from single global auth_mode
to flexible per-backend matching. Fixes critical issues:

- Admin lockout when OIDC provider is unavailable
- Security vulnerability: locked users authenticate as nil
- Registry proxy bypasses per-user permissions
- HTTP Auth Proxy mode non-functional

Enables fallback authentication paths while maintaining backward compatibility.

PR: goharbor/harbor#23458
Signed-off-by: Ross Golder <ross@golder.org>
- Use standard Discussion field linking to related GitHub issues
- Remove non-standard Status/Implementation PR fields
- Condense to template format while preserving implementation details
- Move detailed technical specs to Implementation and References sections
- Follow Harbor community proposal conventions

Signed-off-by: Ross Golder <ross@golder.org>
This file belongs on the personal-access-tokens branch only.
The probe-based-auth-dispatch branch should contain only auth dispatch proposal changes.

Signed-off-by: Ross Golder <ross@golder.org>
@rossigee rossigee force-pushed the proposal/probe-based-auth-dispatch branch from 3df9d09 to 7b28e4e Compare June 29, 2026 09:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants