►
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
B
Funny,
okay,
hi
folks
welcome
to
join
the
harbour
community.
This
is
stephen,
I'm
host
for
today's
meeting.
We
have
very
short
agenda
for
today
and
so
first
a
reminder:
fundamentals.
B
There
are
two
proposal
review
are
pairing,
so
please
take
your
time
to
review
those
two
proposals,
and
the
second
item
is
that
for
the
1.10
release,
we
have
two
demos
today
and
one
is
from
steven
jo.
He.
B
D
Yeah
yeah,
you
need
to
still
stop.
E
D
I
get
it
yep.
Okay,
I'm
gonna
share
the
feature
of
group
support
in
oidc
authentication.
This
is
we
consider
it
feature
complete.
Now
it's
pretty
simple.
The
background
is
after
we
provide
the
integration
support
of
oidc.
D
There's
a
requirement
from
community
users
asking
us
to
provide
the
a
group
support
so
that
the
admin
don't
have
to
wait
for
the
users
to
be
onboarded
to
harbor,
but
he
can
just
add
a
group
which
is
configured
on
the
oid
end,
prime,
as
a
member
and
the
member
and
the
members
of
the
group
will
automatically
has
the
permission
of
the
member
or
roles
in
harvard's
project
we
was.
We
were
a
little
bit
reluctant
to
implemented
this,
because
this
is
not
part
of
oidc
standard,
but
we
have
a
consistent
requirement.
D
So
this
is
our
first
try
to
provide
this
feature
in
110
and
after
that
we
can
keep
on
refine
it.
C
D
D
D
Okay,
now
I
mean
first,
let's
look
at
the
configuration.
D
If
you
use
the
oidc
in
the
previous
version,
you
will
notice
that
there
is
a
new
attribute
added,
which
is
the
group
claim
name
yeah,
and
this
is
the
claim
in
the
token,
by
or
in
the
id
token
that
will
return
this
group
list
later.
I
will
give
you
more
description
on
that,
but
first,
let's
focus
on
the
demo.
D
This
is
a
key
cloak
endpoint
I
configured
and
I
set
the
group
claim
name
as
groups
to
make
sure
I
the
the
group
list
is
get
via
this
claim
and
after
that,
in
the
project
membership
tab,
you
see,
there's
a
the
group
button
is
enabled,
and
after
that
I
can
add
group
as
a
member,
for
example,
I
can
add
group
one
which
is
pre-configured
in
the
key
cloak.
I
will
give
you
more
detail
later,
so
it's
pretty
straightforward.
D
I
can
assign
a
role
to
the
group
and
this
group
is
now
a
member
of
this
project.
Let
me
sign
out,
and
I
can
log
in
via
odc
provider.
This
will
redirect
me
to
the
key
cloak.
D
D
So
after
I
log
in
you
can
see
that
I
can
see
this
project
demo
or
idc
group
as
a
role
master.
If
I
go
to
this
members,
tab
you'll
see
the
user001
is
not
part
of
this.
It's
not
a
member
of
this
project,
but
only
the
group
one.
The
reason
why
the
user,
the
other
one,
can
see
this
group
and
has
a
master
role
is
because
the
group
he
belongs
to
in
this
already
saying
point
was
added
in
this
project
as
a
member
and
next
let
me
give
you
a
little.
A
Hey
really
quickly
asked
alex
in
the
spec,
if
it's
possible
for
us
to
indicate
that
this
user
is
member
of
this
group
and
that's
why
he
has
this
administrative
access.
Is
that
possible?
We
can
add
it
anywhere.
A
It
will
be
on
the
it
will
be
on
the
top
right
corner
right,
where
it
says
user
001,
the
you
know
at
least
or
or
it
would
be
specific
to
a
project
right.
So
you
know
it
would
be
really.
How
did
you
get
the
entitlement
to
this
project
like?
What's
your
membership?
A
Imagine
if
they
have
multiple
groups
here,
and
maybe
a
user
is
a
member
of
multiple
groups.
You
know
be
good
what
entitlement
they
got
so
if
we
can't
get
it
in
110.
That's
fine,
but
it'll
be
good
for
us
to
see
if
it's
easy
to
do
or
not,.
D
Yeah,
I
can
open
an
issue
and
when
we
log
in
we
definitely
we
we
can
get
a
list
of
group
names
in
the
token,
but
I
think
it's
more
of
a
ux
design
thing
I'll
see
if
you
can
do
that
before
fc,
but
I
can
start
this
discussion
with
the
designer
and
yeah.
We
can
try
to
do
that
on
the
ui
okay,
so
this
is
the
part
of
the
demo,
but
I'm
gonna.
D
Oh,
this
is
a
little
hard
to.
Let
me
try
okay,
so
I'm
gonna
give
you
a
little
detail
under
the
hood,
so
on
the
reason
why
the
user
can
see,
I
mean
we
can
do
this
group
assignment
by
assigning
row
to
the
user.
The
other
one
is
because
I
set
this
group
in
the
key
cloak
and
you
can
see
this
user.
The
other
one
is
part
of
the
group.
D
In
addition
to
that,
I
also
had
I
I've
also
done
some
configuration
on
the
oidc
client
to
make
sure
this
value
is
add
to
the
id
token
and
yeah
after
we've
done
that,
and
we
make
sure
that
token
claim
is
groups
which
has
to
be
the
same
as
this
sad
in
set
in
the
oidc
configuration
in
hover.
And
if
we
see
the
decoded
token
here.
D
So
that's
how
it
works
under
the
hood,
so
the
configuration
based
our
experience,
the
configuration
on
the
oibc
side
is
a
little
bit
tricky.
So
to
verify
that
you
must
make
sure
that
the
group
infer
is
populated
correctly
in
your
id
token,
with
the
claim
name
as
that
is
set
in
your
oidc
configuration
of
harbor.
This
is
very
dependent
on
different
oidc
providers.
Currently
we
have
verified
attacks
and
key
cloak
and
the
configuration
is
a
little
different
and
in
this
spring
the
plan
is.
D
I
will
verify
this
mechanism
works
with
our
zero
and
then,
after
that,
it
it's
the
plan
for
the
harbor
110
and
there
are
some
limitations
due
to
the
fact
that
this
is
not
part
of
the
oidc
spec.
But
it's
a
conventional
implementation.
D
When
we
are
adding
the
group,
there
is
no
way
to
verify
the
group
is
existing
or
not
on
the
oidc
set,
so
I
can
add
any
name
for
that
and,
however,
there
is
no
way
for
harvard
to
do
the
checking.
So
it's
possible
that
when
the
admin
set
a
tag
typo
in
the
group's
name
and
the
group
is
not
populated
correctly,
that's
a
known
limitation
and
I
don't
think
we
can
make
any
improvement
within
the
one-time
one-time
timeframe.
D
Done,
I
don't
think
he's
someone.
B
D
D
By
the
way,
the
code
of
oidc
support
has
been
merged
to
the
master.
So
if
you
block.
E
D
Master
code
or
grab
the
latest
build.
This
is
already
working.
A
F
Okay,
good,
let's
move
so
in
last
community
meeting,
I
have
made
a
demo
part
of
them
about
the
plug-able
scanner.
This
is
the
round
tool
of
the
plug-able
scanner.
Before
we
do
the
live
demo.
I'd
like
to
quick
go
through
some
background
of
the
plug-able
scanner.
In
case
you
did
not
attend
the
last
meeting.
F
F
This
workload
is
organized
by
four
companies,
the
equal
security
anchor
security
and
the
vmware
and
as
well
as
hp,
the
eco
and
the
anchor
are
you
know
focused
on
security
and
hp
is
the
user
of
the
some
of
the
scanner.
So
this
is
a
full
function.
Group
I
think
last
meeting
I
have
shared
this
overall
architecture
of
the
plugable
scanner.
If
you
want
to
check
the
details,
you
can
see
the
pull
request
in
the
community
repo.
F
I
think
the
most
important
thing
is
there
will
be
a
adapter
service
between
the
harbor
and
the
scanner
provider.
So
if
any
scanner
provider
want
to
introduce
their
scanner
into
harvested,
you
should
follow
the
adapter
service
over
api.
Then
the
hardware
can
identify
and
re
recognize
the
scanner.
F
Okay,
actually,
the
open.
The
scanner
adapter
open,
fps
specification
is
very
simple.
There
are
only
three
the
points
you
need
to
implement,
so
if
you
want,
if
you
want
to
introduce
a
new
scanner
in
filter,
I
think
it's
very
simple
work.
F
F
This
adapter
is
developed
by
daniel
per
package
from
eco
security
company,
and
we
also,
you
know,
included
the
original
default
scanner
clear.
This
clear
adapter
is
also
developed
by
daniel
package
from
eco
security
and
after
the
work
is
done,
this
adapter
will
move
into
the
gopher
namespace
and
the
third
one
is
the
anchor
yeah
this
anchor
a
scanner
attempter
developed
by
zack
from
anchor
company
and
hp
team.
That's
a
yellow
and
magic.
F
F
F
F
This
is
gonna
list.
The
page
only
be
can
be
accessed
by
the
system
with
me.
So
that
means
the
system
may
can
add
some.
You
know
supported
scanner
endpoint
into
this
list.
So
yes,
you,
you
can
see.
Currently
I
have
added
a
four.
Actually,
we
authentically
will
only
focus
on
the
three
anchor
clad
and
the
chevy,
and
so
far
the
claire
is
the
default
one,
and
if
you
wanted
to-
and
you
can
see,
the
hearth
is
always
all
okay.
F
So
if
you
want
to
check
more
details,
that
means
some.
You
know.
If
you
wanted
to
learn
the
capability
of
the
scanner,
you
can
check
the
arrow
anchor,
then
we'll
retrieve
a
little
more
information
here,
something
some
information
about
the
capability.
That
means
what
artifact
tab
the
scanner
can
support
to
scan
and
what
report
the
scanner
can
be
a
what's
information
or
what
type
of
report
the
scanner
can
be
retained.
Okay,.
F
So,
as
in
this
page,
you
can
set
a
default
scanner.
What
does
that
work
does
default
me
in
here
is:
if
you
set
the
default
scanner
in
for
the
other
project,
if
they
do
not
select
any
product
level
scanner,
they
will
inherit
it.
They
will
inherit
this
default
scan
as
their
program
scanner.
I'll
show
this
later.
Okay,
for
example,.
F
F
You
can
see.
Actually
this
product
is
a
newly
created
project.
We
do
not
do
any
configuration,
but
you
can
see
there
is
already
a
scanner,
because
this
is
currently
the
system
default
is
going
to
declare.
So
you,
if
you
do
not
do
any
special
configuration
at
the
project
level,
so
it
will
inherit
the
system
default
scanner.
Of
course,
if
you
wanted
to
change
the
default
switch
or
another
scanner,
you
know
not
default
one.
You
can
just
set
it.
F
Okay,
it's
a
little
slow,
so
you
can
see
now
demo
pro
will
use
hyper
icon
not
to
the
default
eclair.
Okay.
So,
let's
back
to
projects,
let's
see
some.
F
F
D
I
have
a
question
what,
if
we
click
scan
again
when
it's
scanning.
F
At
the
same
time,
only
one
scan
process
will
be
there
for
the
specific
digest
and
the
specific
scanner
that
means
for
the
specified
scanner.
With
the
specific
deadlift,
there
will
be
only
one
scanning
process
at
the
same
time.
So
I
think
we
have
get
to
the
report.
You
know
from
the
trevi
and
scanner
file
you
can
move
over
the
mo.
F
However,
there
is
a
pop-up
tips
to
show
what
we
have
found
in
this
artifact.
You
can
see
we
have.
We
have
found
five
critical,
29
meteor
17
medium
as
the
25
okay.
This
is
the
report
returned
by
trevi.
If
you
wanted
to
learn
more
details,
just
enter
the
tag
page,
you
can
see
all
the
cves
founded
by
trevi
there
are
also
the
bar
chart
are
shown
here.
F
F
F
Yeah,
okay,
I
think
there
is
something
you
know
related
with
claire
scanner.
This
severity
is
not
so
I
think,
there's
some,
maybe
some
mistake
or
some
back
in
the
claire
scanner,
where
I'll
figure
out
what
happened.
Okay,.
E
Hey
this
is
daniel.
I
might
comment
on
that.
Sorry
for
interrupting,
but
yeah.
This
is
like
not
not
available.
So
it's
like
you
know.
Some
vulnerabilities
might
be
detected
by
the
scanner,
whether
it's
clear
or
3d,
but
they
have
a
special
like
a
reserved
status,
which
basically
means
they
were
reported,
that
being
reviewed
by
the
vendor
or
by
some
one
else.
Who
knows
the
matter,
but
it
doesn't
have
the
severity
assign.
E
Yet
it's
just
a,
I
wouldn't
say
like
additional
enumeration
for
the
severity,
but
something
you
should
be
aware
of,
but
you
don't
really
know
whether
it's
a
real
high,
low,
medium
or
whatever
severity.
It's
just
there
and
I
discuss
it
internally
at
aqua
and
we
decided
to
leave
those
rather
than
skipping
them
still
to
be
this
yeah.
D
But
yeah
thanks,
but
I
I,
if
you
see
this
diagram
a
little
above,
I
mean
this.
This
overview
diagram.
There
is
unknown.
E
Yeah,
but
this
issue
yeah.
This
is
something
slightly
different,
because
this
is
slightly
different.
The
unknown
status
from
the
open
api
spec
was
like
well.
We
cannot
map
it
for
some
reasons,
whereas
this
one
is
something
like
you
know
uncategorized
for
me.
Maybe
we
should
trigger
a
discussion
on
that
and
elaborate
on
it.
But
that's
that's
the
whole
story.
It's
it's
not
black.
It's
it's
just
a
tricky
case.
C
F
Okay,
I
think
that's
sorry.
Yes,
that's
the
sense
of
the
scanner.
You
can
the
multiple
scanner
that
you
can
set
select
one
as
a
default,
and
you
can
also
set
your
specific
scanner
and
your
project
that
scan
prototype
scanner
can
be
different
with
your
default
one.
So
that's
a
the
current
pluggable
scanner
of
remote
support.
Okay,.
F
D
Yeah
steve,
I
have
a
couple
of
more
questions.
If
you
go
to
the
scan
results,
we
see
we
are
now
applying
the
critical
high
medium
low.
Is
that
consistent
with
the
product
setting
about
the
pool
policy.
C
F
D
Yeah,
I
understood
I
just
want
to
point
out.
I
I
think
in
that
pool
policy
they
they
are
using
like
high
medium
low,
so
we
should
be
consistent.
There.
D
People,
I
I
don't
think
there
is,
we
need
to
double
check.
I
I
think
I
will
write
up
an
issue
and
make
sure
they
are
consistent.
E
A
D
F
A
D
Yes,
and
no
because
alex
even
mentioned
there
is
some
change
in
the
data
type.
Previously
we
were
using
integer.
Now
it's
a
string
and
yeah.
There
needs
to
need
some
change
in
terms
of
comparing
the
levels
and
stuff.
F
F
C
F
D
Yeah
another
comment
is
on
the
ui.
If
you
go
to
the
scanners,
tab.
D
And
is
that
you
know
the
final
lines
of
version
or
just
we
also
plan
to
refine
this
no
guarantee
yeah.
I.
F
F
Okay,
I
think
of
the
meaning
of
this
progress.
Kind
of
framework.
Is,
you
know
your
filter
is
weak.
You
know
it
will
be
where
it
will
be
very
easy
to
introduce.
You
know
new
scanner
into
hardware
to
provide
the
scanning
capability.
F
Actually,
some
local
provider
has
local
providers
have
known
these
pluggable
scanners.
They
are
also
working
on.
You
know
container
image
scanning.
They
have.
You
know
a
big
interest
in
this
for
work.
So
that's
a
good
thing.
F
C
F
You,
okay,
that's
that's
all
the
parts
understand
about
this
part.
If,
if
you
guys
have
no
questions
still
it.
A
I
think
stephen
left
already
so
and
we're
out
of
time.