Feature Request: Read-Only Role for ALL Projects and Repositories

[anokun7]

Is your feature request related to a problem? Please describe.

Yes, there is currently no dedicated role in Harbor that provides read-only access to all projects and repositories, both private and public. This limitation poses challenges in scenarios where accounts need to scan images without the risk of altering them, potentially affecting the integrity of the data during security assessments.

Robot accounts seem to work, but since they are local accounts, they will not pass security team standards at enterprises. Ideally only AD/LDAP accounts should be used for everything and the role should be such that it can be assigned to any AD/LDAP account that can be managed.

Describe the solution you'd like

I would like Harbor to introduce a new role that grants read-only access across all projects and repositories. This role should enable accounts to perform image scans without any permissions to modify, delete, or alter the images in any way.

Describe the main design/architecture of your solution

The solution involves creating a new user role within Harbor's existing role management framework. This role would have global read-only permissions enforced at the database access layer, ensuring that it can view but not modify any project or repository content. Diagrammatic representations could illustrate the permission checks within the system architecture.

Additional context
This feature would greatly enhance Harbor's usability in environments that require strict compliance and audit capabilities without compromising the security or integrity of the container images stored within the registry.

[stonezdj]

If you don't need to use the Harbor UI, you could customize a robot account, but the robot account can be used in REST API.

[anokun7]

There seems no way to specify a non-local robot account - like an LDAP/AD account. Local accounts can become a hurdle for security teams. Updated in the original description.