API for managing Teams and Users

joshuafernandes commented 3 years ago

Tell us about your request Our organisation (& others I imagine ) would like to keep with the new subscription plans, however managing users for any of the lower tiers is going to be a nightmare if its is add/remove one by one.

Another option might be to enable SAML for the Team plan? Our org does not require any of the features of the Business plan but would be nice to have some way to programmatically add users upto 250 users.

Which service(s) is this request for? Docker for Desktop

Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard? Managing 250 user licenses is not going to be a pleasant experience and would be nice to have a programatic API to do this. SAML is great but the price for a Business user cannot really be justified.

Are you currently working around the issue? None available

project0 commented 2 years ago

I feel with you, no API, no SSO auth. How docker thinks they can justify forcing people to buy subscription if they do not even provider proper tooling to manage users....

faradayfan commented 2 years ago

I agree. This capability is sorely needed.

carnei-ro commented 2 years ago

Another comment to endorse the need for this feature.

jeremyhager commented 2 years ago

There seems to be public API endpoints for this. I found this by adding myself and removing myself from my org, using + for an additional email, eg. user+test@example.com, then running dev tools in chrome.

I'm not sure if this is publicly documented anywhere, so these endpoints could change easily. The only thing I found so far is this: https://docs.docker.com/docker-hub/api/latest/. The naming seems pretty consistent, but since I used my dev tools vs. documentation I wouldn't expect these to last forever.

Here's what I've found:

Add users:

Method: POST https://hub.docker.com/v2/orgs/{orgName}/groups/{groupName}/members which accepts '{"member": "{email}"}' as the payload.

Get invitees here:

Method: GET https://hub.docker.com/v2/orgs/{orgName}/invitees/

Resend invite

Method POST https://hub.docker.com/v2/orgs/{orgName}/invitees/?email={email@example.com}

Delete invitees:

Method: DELETE https://hub.docker.com/v2/orgs/{orgName}/invitees/?email={email}

Delete users:

Method: DELETE Note: Both methods remove a user from an organization

Via group member endpoint

https://hub.docker.com/v2/orgs/{orgName}/groups/{groupName}/members/{dockerUserName}/

Via org member endpoint

https://hub.docker.com/v2/orgs/{orgName}/members/{dockerUserName}/

Example setup:

!#/bin/bash
UNAME=""
UPASS=""
ORG=""
DefaultGroup=""
TOKEN=$(curl -s -H "Content-Type: application/json" -X POST -d '{"username": "'${UNAME}'", "password": "'${UPASS}'"}' https://hub.docker.com/v2/users/login/ | jq -r .token)

json='{"member": "'$userEmail'"}'
curl -X POST -d "$json" -H 'Content-Type: application/json' -H "Authorization: JWT ${TOKEN}" https://hub.docker.com/v2/orgs/$ORG/groups/$DefaultGroup/members/

special thanks: https://gist.github.com/kizbitz/175be06d0fbbb39bc9bfa6c0cb0d4721

Note:

Some of these must of course be url-encoded, so https://hub.docker.com/v2/orgs/{orgName}/{groupName}/invitees/?email=email@example.com wouldn't work, but https://hub.docker.com/v2/orgs/{orgName}/{groupName}/invitees/?email=email%40example.com should

nunocoracao commented 2 years ago

Hello, we are currently in the process of validating this feature and I'm interested in learning more about your use-cases. If you want to drop me a line at nuno.coracao@docker.com I'm happy to jump on a call. @joshuafernandes @carnei-ro @faradayfan @Project0

josh-higgs commented 2 years ago

Hi @nunocoracao, Our main need is being able to export the full list of members of the organisation to see who has access and regular audit processes. Currently having to email support for this .csv export is not ideal. Thanks.

nunocoracao commented 2 years ago

Hello @josh-higgs, thanks for your feedback. We are tracking the export users as a separate feature on https://github.com/docker/roadmap/issues/401 if you want to follow progress there.

ShrikeBTR commented 1 year ago

Is there a status update on development of this feature? I'm being tasked with evaluating a migration to DockerHub for my company, and it's beginning to look like there is no support outside of the (beta?) SCIM feature for SSO, which is only capable of provisioning and deprovisioning, for:

API based management of users - either accessing lists of current users for audit purposes, adding new users, removing existing.
Any management of "Teams" - creating, removing, changing permissions, or modifying membership

With the net result looking like a great deal of manual work is needed to support a business of significant size.

raj-patel1 commented 1 year ago

We are looking for APIs to grant/revoke access to users/teams. And I can't put enough emphasis on how much these APIs are very critical for using DockerHub at scale in automated way. As whenever our automation adds a new repo, someone has to manually goto DockerHub web app and grant access to different teams/users.

I see its open for more than a year and considering it's in investigation stage right now, can someone give me best case scenario and most likely scenario timelines for these APIs to be available in Production.

neurorepro commented 1 year ago

@MercedesSteele (and maybe @nunocoracao) I am in the same situation as @raj-patel1 . We would need for example an API call to set specific permissions ("Read & Write") to a team for a given private repository (that we could create with the current API).

As a reference, ChatGPT suggested the following ;)

Get the team id from the team name

curl -s -H "Authorization: JWT <ACCESS_TOKEN>" https://hub.docker.com/v2/orgs/<DOCKERHUB_ORG>/teams/ | jq -r '.teams[] | select(.name == "<TEAM_NAME>") | .id'

Add write permissions for the team with that id

curl -s -H "Authorization: JWT <ACCESS_TOKEN>" -H "Content-Type: application/json" -X PUT -d '{"name": "<TEAM_NAME>", "permission": "write"}' https://hub.docker.com/v2/repositories/<DOCKERHUB_ORG>/<REPO_NAME>/team/$(echo -n "<TEAM_ID>" | base64)/

markjreed commented 1 year ago

The /invitees endpoint doesn't seem to be there? Managing team memberships works, as does removing users from an org, but I still don't see a way to programmatically send an invitation to join an org.

dirsigler commented 9 months ago

@markjreed "Add users" seems to be now the endpoint https://hub.docker.com/v2/invites/bulk with the payload:

{
  "org": "<YOUR_ORG>",
  "team": "",
  "invitees": ["john.doe@example.com"],
  "dry_run": false,
  "role": "member"
}

docker / roadmap