search

goharbor / harbor

An open source trusted cloud native registry project that stores, signs, and scans content.
https://goharbor.io
Apache License 2.0
24.31k stars 4.77k forks source link

Security Hub for non Admins #19309

Closed Lima118 closed 1 year ago

Lima118 commented 1 year ago

Hi!

It would be a useful feature for us if not only Admins could access the Security Hub. Our security team at out company would like to monitor the CVEs in Harbor. Right now our only solution is to give them Developer permission on all Projects to export CVEs and then they make reports out of them.

It would be easier if they could look at the Security Hub and filter the Projects based on Severity. Get a more visual and comprehensive look.

We use LDAP integration. Maybe a suitable solution would be to create a new field for LDAP Group Security DN. Thoso who are member of the defined group would get access to Security Hub.

Thanks, Lima

AllForNothing commented 1 year ago

We will expose the permissions of the Security Hub for the system robot accounts on the UI in 2.10.

in 2.9, you can create a system robot account with the below permissions by API call:

{
    "disable": false,
    "duration": -1,
    "editable": true,
    "expires_at": -1,
    "level": "system",
    "name": "somename_modified",
    "permissions": [
        {
            "access": [
                {
                    "action": "security-hub",
                    "resource": "read"
                },
                {
                    "action": "security-hub",
                    "resource": "list"
                },
            ],
            "kind": "system",
            "namespace": "/"
        }
    ]
}

Then you can get the JSON data with this robot account. There is no way to access the Security Hub UI with non-admin accounts.

Lima118 commented 1 year ago

Unfortunate, but understandable. Thank you for the fast reply. Gonna look into the API call, see if we can use it in an automated reporting logic.

Best, Lima

dmaggo commented 2 months ago

Hello, we would appreciate this feature also. Is it planned for future version? In general it would be nice to have different levels for administrative view. At least a read only partially.

Hi!

It would be a useful feature for us if not only Admins could access the Security Hub. Our security team at out company would like to monitor the CVEs in Harbor. Right now our only solution is to give them Developer permission on all Projects to export CVEs and then they make reports out of them.

It would be easier if they could look at the Security Hub and filter the Projects based on Severity. Get a more visual and comprehensive look.

We use LDAP integration. Maybe a suitable solution would be to create a new field for LDAP Group Security DN. Thoso who are member of the defined group would get access to Security Hub.

Thanks, Lima