Closed michmike closed 4 years ago
Why limit CLI secrets to OIDC contexts? Passwords from LDAP are sensitive and as such a breach of a password from docker login credentials would require the user to change their LDAP password, which may be valid for a wider range of services. Allowing CLI secrets for LDAP contexts as well would restrict the scope of the credentials being used to ldap and thus being more secure in preventing lateral movement.
cc @xaleeks for feature review
@xaleeks
It seems the comment https://github.com/goharbor/harbor/issues/7932#issuecomment-505011118 justifies another issue?
I'm assuming this issue only tracks CLI secret for OIDC
Created https://github.com/goharbor/harbor/issues/9577 to track the doc update, so removing doc-impact
from this one.
Closing as this is delivered in master
branch
in an OIDC scenario, allow a user to create and submit their own CLI secret. this is useful if you have multiple Harbor instances and you want to share the same users across multiple Harbor instances. the Harbor instances may be geographically distributed and behind a load balancer. if a failover occurs, the user can re-authenticate with harbor using the exact same credentials
requirements
JPMC has scenarios around load balancing and I think this may solve their issues.