-
Notifications
You must be signed in to change notification settings - Fork 470
Disable registration/users #179
Comments
This might make sense for large organizations, but for small organizations this can be a bit of a burden. So I feel like it would be a good idea if it's well implemented. I'd make it a configurable option in the
This feature wouldn't make it on the first release most probably, but a bit of discussion won't hurt :) So, @flavio, what do you think about this? |
I agree with you. Let's see what @eotchi thinks about it. |
As a suggestion, this could be essentially achieved with LDAP support #150 - If LDAP is configured, essentially make the Portus user store read-only. Permissions and access is then based off of LDAP group membership. The jabber chat server project openfire handles LDAP and registration toggle in this way. The large organizations out there that would want to disable registration, are most likely going to have LDAP in place. Then you don't need to really re-engineer the sign up process or have a approvals queue. |
In my first comment I said that this configurable option would only be available through the |
@rtrauntvein fair point. This is why I want to think more thoroughly on LDAP support before implementing this feature. Thanks! |
fast solution can be delete line |
This is a feature that I'd like to see for the next stable release. I've come up with the following proposal: There should be the following configurable option for this (the set values would be the defaults): signup:
enabled: true
verify: false
This should be implemented in two steps. First we implement points 1 and 2, which already provide the functionality itself. Lastly we would implement the third point, which can be seen as just a UX workflow on top of the first two points. I'd like to implement the first two points before the 2nd stable release of Portus. The third point can wait, in my opinion. /ping people that have commented on the other issue (#283): @deitch, @vitorarins. |
Hi @mssola, I agree with your points, but I am not a fan of the idea of running a rake task to create users on your first point. A good solution to that would be to have a page to create users inside the Admin area, similar to Gitlab. |
@mssola sounds like a good plan |
@vitorarins I like your idea. I'll do that instead. |
Actually, I like them both. Having a "user management" area of the UI makes sense, but the ability to do so via automation also is powerful. Of course, a Web-based REST API interface is better than a rake task, but whatever is easiest to start. |
@deitch fair enough. I'll do both then. Moreover, I'll also add an option to |
FWIW: Here's how GitLab handles it. They have two options: signup_enabled which en/disables user self-signup, and signin_enabled which controls whether users can sign-in (without LDAP). Enabling LDAP adds another tab on the sign-in page. So this allows you to have some LDAP and some non-LDAP users. That said, I don't know why you would ever have that scenario, but it's something to consider. |
@JonathonReinhart the possibility to mix LDAP users with non-LDAP users was discussed when implementing LDAP support in the very beginning, but it was finally discarded (rightfully I'd say). Therefore:
The |
That sounds good. I actually can't imagine anyone in an enterprise environment would allow non-LDAP sign-in, and especially not self sign-up. |
Thanks to @salzig, the implementation of this feature has started. I'll draw a checklist to track better what's being done:
|
When enabled (default behavior), then any user can access to the signup page. Otherwise, users are not able to enter the signup form. This is ignored in LDAP mode. Note that I've also added the `verify` configurable value. This is supposed to be implemented in the near future, as described in the related issues. See issues SUSE#179 and SUSE#283 Signed-off-by: Miquel Sabaté Solà <msabate@suse.com>
I've become quite skeptical about the fourth point. The thing is, that if you want to do such a thing, in non-LDAP setups users will just mail the admin and the admin will then create the user. Therefore, I think that the fourth point tries to re-invent the wheel. @flavio What do you think ? |
@mssola I agree with you, let's ignore that. We can alwas resume that later on if we have a valid use case. |
It would be nice to have an option to disable the registration for users and/or to set new users to default inactive. This will give the admin control about who uses the registry.
The text was updated successfully, but these errors were encountered: