Open joshuafernandes opened 3 years ago
I feel with you, no API, no SSO auth. How docker thinks they can justify forcing people to buy subscription if they do not even provider proper tooling to manage users....
I agree. This capability is sorely needed.
Another comment to endorse the need for this feature.
There seems to be public API endpoints for this. I found this by adding myself and removing myself from my org, using +
for an additional email, eg. user+test@example.com
, then running dev tools in chrome.
I'm not sure if this is publicly documented anywhere, so these endpoints could change easily. The only thing I found so far is this: https://docs.docker.com/docker-hub/api/latest/. The naming seems pretty consistent, but since I used my dev tools vs. documentation I wouldn't expect these to last forever.
Here's what I've found:
Method: POST
https://hub.docker.com/v2/orgs/{orgName}/groups/{groupName}/members
which accepts '{"member": "{email}"}'
as the payload.
Method: GET
https://hub.docker.com/v2/orgs/{orgName}/invitees/
Method POST
https://hub.docker.com/v2/orgs/{orgName}/invitees/?email={email@example.com}
Method: DELETE
https://hub.docker.com/v2/orgs/{orgName}/invitees/?email={email}
Method: DELETE
Note: Both methods remove a user from an organization
https://hub.docker.com/v2/orgs/{orgName}/groups/{groupName}/members/{dockerUserName}/
https://hub.docker.com/v2/orgs/{orgName}/members/{dockerUserName}/
!#/bin/bash
UNAME=""
UPASS=""
ORG=""
DefaultGroup=""
TOKEN=$(curl -s -H "Content-Type: application/json" -X POST -d '{"username": "'${UNAME}'", "password": "'${UPASS}'"}' https://hub.docker.com/v2/users/login/ | jq -r .token)
json='{"member": "'$userEmail'"}'
curl -X POST -d "$json" -H 'Content-Type: application/json' -H "Authorization: JWT ${TOKEN}" https://hub.docker.com/v2/orgs/$ORG/groups/$DefaultGroup/members/
special thanks: https://gist.github.com/kizbitz/175be06d0fbbb39bc9bfa6c0cb0d4721
Some of these must of course be url-encoded, so https://hub.docker.com/v2/orgs/{orgName}/{groupName}/invitees/?email=email@example.com
wouldn't work, but https://hub.docker.com/v2/orgs/{orgName}/{groupName}/invitees/?email=email%40example.com
should
Hello, we are currently in the process of validating this feature and I'm interested in learning more about your use-cases. If you want to drop me a line at nuno.coracao@docker.com I'm happy to jump on a call. @joshuafernandes @carnei-ro @faradayfan @Project0
Hi @nunocoracao, Our main need is being able to export the full list of members of the organisation to see who has access and regular audit processes. Currently having to email support for this .csv export is not ideal. Thanks.
Hello @josh-higgs, thanks for your feedback. We are tracking the export users as a separate feature on https://github.com/docker/roadmap/issues/401 if you want to follow progress there.
Is there a status update on development of this feature? I'm being tasked with evaluating a migration to DockerHub for my company, and it's beginning to look like there is no support outside of the (beta?) SCIM feature for SSO, which is only capable of provisioning and deprovisioning, for:
With the net result looking like a great deal of manual work is needed to support a business of significant size.
We are looking for APIs to grant/revoke access to users/teams. And I can't put enough emphasis on how much these APIs are very critical for using DockerHub at scale in automated way. As whenever our automation adds a new repo, someone has to manually goto DockerHub web app and grant access to different teams/users.
I see its open for more than a year and considering it's in investigation stage right now, can someone give me best case scenario and most likely scenario timelines for these APIs to be available in Production.
@MercedesSteele (and maybe @nunocoracao) I am in the same situation as @raj-patel1 . We would need for example an API call to set specific permissions ("Read & Write") to a team for a given private repository (that we could create with the current API).
As a reference, ChatGPT suggested the following ;)
curl -s -H "Authorization: JWT <ACCESS_TOKEN>" https://hub.docker.com/v2/orgs/<DOCKERHUB_ORG>/teams/ | jq -r '.teams[] | select(.name == "<TEAM_NAME>") | .id'
curl -s -H "Authorization: JWT <ACCESS_TOKEN>" -H "Content-Type: application/json" -X PUT -d '{"name": "<TEAM_NAME>", "permission": "write"}' https://hub.docker.com/v2/repositories/<DOCKERHUB_ORG>/<REPO_NAME>/team/$(echo -n "<TEAM_ID>" | base64)/
The /invitees endpoint doesn't seem to be there? Managing team memberships works, as does removing users from an org, but I still don't see a way to programmatically send an invitation to join an org.
@markjreed "Add users" seems to be now the endpoint https://hub.docker.com/v2/invites/bulk
with the payload:
{
"org": "<YOUR_ORG>",
"team": "",
"invitees": ["john.doe@example.com"],
"dry_run": false,
"role": "member"
}
Tell us about your request Our organisation (& others I imagine ) would like to keep with the new subscription plans, however managing users for any of the lower tiers is going to be a nightmare if its is add/remove one by one.
Another option might be to enable SAML for the Team plan? Our org does not require any of the features of the Business plan but would be nice to have some way to programmatically add users upto 250 users.
Which service(s) is this request for? Docker for Desktop
Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard? Managing 250 user licenses is not going to be a pleasant experience and would be nice to have a programatic API to do this. SAML is great but the price for a Business user cannot really be justified.
Are you currently working around the issue? None available