Make it possible to disable all "public" functionality

[zimmski]

If someone is using Harbor as a private registry only, no public projects/images, there are still multiple things that are not secure by default because they are publicly available or easy to misconfigure.

Therefore, my proposal aims at making Harbor "secure by default" in the sense of disabling as much as possible for public access by default and allowing administrators to enable/disable certain features. I guess it would make sense to split these tasks into multiple issues, but I want to first start a discussion on what could be done, because I am sure I overlooked things. If these items are OK for the maintainers I offer that we (https://symflower.com) could also implement in time some of them if necessary but we want to make sure that upstream is OK with it first.

Currently the following things should be disabled by default for the public facing login:

• Make the whole Harbor instance non-public by default. There should be an option that enables "public" features, e.g. if this is enabled a user can create "public" projects but if it not enabled the option "public" does simply not exist for the whole instance.
• Disable the search-functionality and make it an option to enable it. Currently I can search and keep the database/application busy without a logged in account. In case someone misconfigured a project an attacker could also easily find images to pull. I am sure that there are Harbor instances out there where I can do that.
• Remove the default "library" project. It is public by default. Let the first-time-install-administrator add its own projects and not forget to "delete library.
• Disable information about Harbor for the public facing pages: Remove the "About" page for public access. It should be not that easy to find the version of an instance. Also the "More info..." link is unnecessary.

[jan-from-meiro]

@zimmski besides it's not by default is there even any way to disable these without a necessity of building it from source?

[zimmski]

@xaleeks We are still willing to work on these items. Please let me know what you want to do and how to move forwad. I want to avoid creating PRs that are then not accepted that force us to do a fork. I know these situations all too well and i know how busy maintainers are (if you look at my profile you can see that i have the same problem right now).

@jan-from-meiro no. That is exactly the problem.

[thechubbypanda]

I'd like to bump this. An outward facing, unauthenticated search field is a huge attack surface.

[slushysnowman]

Yeah this is a pretty big thing and really needs to be addressed, basically at the moment you can't guarantee as someone running Harbor that everything is private and secure. If a user misconfigures their project, or clicks on 'public' accidentally, then suddenly their images can be pulled by the entire world.

The documentation is also very misleading on what a 'Public' project is:
Public: Any user can pull images from this project. This is a convenient way for you to share repositories with others.

Saying 'user' here implies an onboarded user of Harbor, not any random person on the internet, which seems to actually be the case. This should be corrected to highlight that this allows images to be pulled by anyone.

[github-actions]

This issue is being marked stale due to a period of inactivity. If this issue is still relevant, please comment or remove the stale label. Otherwise, this issue will close in 30 days.

[slushysnowman]

This should definitely not be stale, this is 100% still relevant - anyone wanting to run Harbor as a private registry should be concerned about the fact that project admins can set their project public by themselves, with no override possible.

You can say that a solution is to not give out project admin permission - yes, but then a lot of the key features and self-service stuff, like robot account creation is lost. So that's not a solution IMO.

[qnetter]

I agree this is an important idea. It will almost definitely not fit in 2.7, but if anyone wants to work on it and change that, please volunteer.

[petterroea]

I also want this. I am using Harbor as a private repo for images I do not want publically(why would i host my own images if they are public, there are plenty of free hosting alternatives out there for public images).

A switch to completely disable all unauthenticated access would be great. I am an idiot and I will make mistakes. I want to idiotproof my registry for myself.

[Tonkari]

We also need this. We run Harbor for users that should not be allowed to create public repositories. While we have told everyone, we need to enforce this somehow. currently we run a script that sets all projects to private every minute.