roadmap icon indicating copy to clipboard operation
roadmap copied to clipboard
verified publisher icon docker

API for managing Teams and Users

Open joshuafernandes opened this issue 4 years ago • 13 comments

Tell us about your request Our organisation (& others I imagine ) would like to keep with the new subscription plans, however managing users for any of the lower tiers is going to be a nightmare if its is add/remove one by one.

Another option might be to enable SAML for the Team plan? Our org does not require any of the features of the Business plan but would be nice to have some way to programmatically add users upto 250 users.

Which service(s) is this request for? Docker for Desktop

Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard? Managing 250 user licenses is not going to be a pleasant experience and would be nice to have a programatic API to do this. SAML is great but the price for a Business user cannot really be justified.

Are you currently working around the issue? None available

joshuafernandes avatar Sep 15 '21 03:09 joshuafernandes

I feel with you, no API, no SSO auth. How docker thinks they can justify forcing people to buy subscription if they do not even provider proper tooling to manage users....

project0 avatar Nov 30 '21 10:11 project0

I agree. This capability is sorely needed.

faradayfan avatar Jan 21 '22 00:01 faradayfan

Another comment to endorse the need for this feature.

carnei-ro avatar Jan 26 '22 16:01 carnei-ro

There seems to be public API endpoints for this. I found this by adding myself and removing myself from my org, using + for an additional email, eg. [email protected], then running dev tools in chrome.

I'm not sure if this is publicly documented anywhere, so these endpoints could change easily. The only thing I found so far is this: https://docs.docker.com/docker-hub/api/latest/. The naming seems pretty consistent, but since I used my dev tools vs. documentation I wouldn't expect these to last forever.

Here's what I've found:

Add users:

Method: POST https://hub.docker.com/v2/orgs/{orgName}/groups/{groupName}/members which accepts '{"member": "{email}"}' as the payload.

Get invitees here:

Method: GET https://hub.docker.com/v2/orgs/{orgName}/invitees/

Resend invite

Method POST https://hub.docker.com/v2/orgs/{orgName}/invitees/?email={[email protected]}

Delete invitees:

Method: DELETE https://hub.docker.com/v2/orgs/{orgName}/invitees/?email={email}

Delete users:

Method: DELETE Note: Both methods remove a user from an organization

Via group member endpoint

https://hub.docker.com/v2/orgs/{orgName}/groups/{groupName}/members/{dockerUserName}/

Via org member endpoint

https://hub.docker.com/v2/orgs/{orgName}/members/{dockerUserName}/

Example setup:

!#/bin/bash
UNAME=""
UPASS=""
ORG=""
DefaultGroup=""
TOKEN=$(curl -s -H "Content-Type: application/json" -X POST -d '{"username": "'${UNAME}'", "password": "'${UPASS}'"}' https://hub.docker.com/v2/users/login/ | jq -r .token)

json='{"member": "'$userEmail'"}'
curl -X POST -d "$json" -H 'Content-Type: application/json' -H "Authorization: JWT ${TOKEN}" https://hub.docker.com/v2/orgs/$ORG/groups/$DefaultGroup/members/

special thanks: https://gist.github.com/kizbitz/175be06d0fbbb39bc9bfa6c0cb0d4721

Note:

Some of these must of course be url-encoded, so https://hub.docker.com/v2/orgs/{orgName}/{groupName}/invitees/[email protected] wouldn't work, but https://hub.docker.com/v2/orgs/{orgName}/{groupName}/invitees/?email=email%40example.com should

jeremyhager avatar Apr 14 '22 23:04 jeremyhager

Hello, we are currently in the process of validating this feature and I'm interested in learning more about your use-cases. If you want to drop me a line at [email protected] I'm happy to jump on a call. @joshuafernandes @carnei-ro @faradayfan @Project0

nunocoracao avatar Jun 29 '22 15:06 nunocoracao

Hi @nunocoracao, Our main need is being able to export the full list of members of the organisation to see who has access and regular audit processes. Currently having to email support for this .csv export is not ideal. Thanks.

josh-higgs avatar Aug 18 '22 08:08 josh-higgs

Hello @josh-higgs, thanks for your feedback. We are tracking the export users as a separate feature on https://github.com/docker/roadmap/issues/401 if you want to follow progress there.

nunocoracao avatar Aug 19 '22 10:08 nunocoracao

Is there a status update on development of this feature? I'm being tasked with evaluating a migration to DockerHub for my company, and it's beginning to look like there is no support outside of the (beta?) SCIM feature for SSO, which is only capable of provisioning and deprovisioning, for:

  • API based management of users - either accessing lists of current users for audit purposes, adding new users, removing existing.
  • Any management of "Teams" - creating, removing, changing permissions, or modifying membership

With the net result looking like a great deal of manual work is needed to support a business of significant size.

ShrikeBTR avatar Dec 07 '22 15:12 ShrikeBTR

We are looking for APIs to grant/revoke access to users/teams. And I can't put enough emphasis on how much these APIs are very critical for using DockerHub at scale in automated way. As whenever our automation adds a new repo, someone has to manually goto DockerHub web app and grant access to different teams/users.

I see its open for more than a year and considering it's in investigation stage right now, can someone give me best case scenario and most likely scenario timelines for these APIs to be available in Production.

raj-patel1 avatar Dec 20 '22 22:12 raj-patel1

@MercedesSteele (and maybe @nunocoracao) I am in the same situation as @raj-patel1 . We would need for example an API call to set specific permissions ("Read & Write") to a team for a given private repository (that we could create with the current API).

As a reference, ChatGPT suggested the following ;)

  1. Get the team id from the team name
curl -s -H "Authorization: JWT <ACCESS_TOKEN>" https://hub.docker.com/v2/orgs/<DOCKERHUB_ORG>/teams/ | jq -r '.teams[] | select(.name == "<TEAM_NAME>") | .id'
  1. Add write permissions for the team with that id
curl -s -H "Authorization: JWT <ACCESS_TOKEN>" -H "Content-Type: application/json" -X PUT -d '{"name": "<TEAM_NAME>", "permission": "write"}' https://hub.docker.com/v2/repositories/<DOCKERHUB_ORG>/<REPO_NAME>/team/$(echo -n "<TEAM_ID>" | base64)/

neurorepro avatar Apr 20 '23 14:04 neurorepro

The /invitees endpoint doesn't seem to be there? Managing team memberships works, as does removing users from an org, but I still don't see a way to programmatically send an invitation to join an org.

markjreed avatar May 04 '23 19:05 markjreed

@markjreed "Add users" seems to be now the endpoint https://hub.docker.com/v2/invites/bulk with the payload:

{
  "org": "<YOUR_ORG>",
  "team": "",
  "invitees": ["[email protected]"],
  "dry_run": false,
  "role": "member"
}

dirsigler avatar Jan 12 '24 13:01 dirsigler

@markjreed "Add users" seems to be now the endpoint https://hub.docker.com/v2/invites/bulk with the payload:

{ "org": "<YOUR_ORG>", "team": "", "invitees": ["[email protected]"], "dry_run": false, "role": "member" }

Is this working now? I couldn't find any documentation for the api endpoint you are mentioning here.

@docker-roadmap please provide an update on this issue.

ohofherr avatar Feb 21 '25 10:02 ohofherr