Missing access to /retentions for Robot Accounts

[keskad]

Hi, I was trying to use a system RobotAccount that would be able to manage Retention Policies without luck, getting 403 errors.
To workaround this issue I used OIDC account and passed CSRF token, it is a tricky and very dirty workaround.

Question: Is there any undocumented permission that needs to be assigned to RobotAccount that I could be missing?

If there is no such permission, then I'm submitting there a feature request :)

Version: Harbor v2.4.0

Thanks :)

[wy65701436]

please refer to #14145 (comment)

[github-actions]

This issue is being marked stale due to a period of inactivity. If this issue is still relevant, please comment or remove the stale label. Otherwise, this issue will close in 30 days.

[keskad]

Hi @wy65701436

I just checked it again and I get UNAUTHORIZED error instead of FORBIDDEN whatever I set as permissions.

Here is what I have tried:

• Setting all permissions on system-level RobotAccount
• Setting all permissions on project-level RobotAccount

Is this a bug or intended behavior that RobotAccount cannot edit retentions?

[wy65701436]

please share the payload when you try to create a robot.

[tj-macdonald]

I'm on harbor v2.7.1 and am having the same issues. I've tried to give * permissions to both system and projects for testing and still get a forbidden response. I've tried other endpoints and have had no issues but all /retentions endpoints except metadatas return forbidden.

The robot account payload is below

{
  "creation_time": "2023-05-09T13:46:02.333Z",
  "disable": false,
  "duration": 90,
  "editable": true,
  "expires_at": 1691415962,
  "id": 64,
  "level": "system",
  "name": "robot-robot-test-2",
  "permissions": [
    {
      "kind": "project",
      "namespace": "*",
      "access": [
        {
          "resource": "repository",
          "action": "list"
        },
        {
          "resource": "repository",
          "action": "pull"
        },
        {
          "resource": "repository",
          "action": "push"
        },
        {
          "resource": "repository",
          "action": "delete"
        },
        {
          "resource": "artifact",
          "action": "read"
        },
        {
          "resource": "artifact",
          "action": "list"
        },
        {
          "resource": "artifact",
          "action": "delete"
        },
        {
          "resource": "artifact-label",
          "action": "create"
        },
        {
          "resource": "artifact-label",
          "action": "delete"
        },
        {
          "resource": "tag",
          "action": "create"
        },
        {
          "resource": "tag",
          "action": "delete"
        },
        {
          "resource": "tag",
          "action": "list"
        },
        {
          "resource": "scan",
          "action": "create"
        },
        {
          "resource": "scan",
          "action": "stop"
        },
        {
          "resource": "helm-chart",
          "action": "read"
        },
        {
          "resource": "helm-chart-version",
          "action": "create"
        },
        {
          "resource": "helm-chart-version",
          "action": "delete"
        },
        {
          "resource": "helm-chart-version-label",
          "action": "create"
        },
        {
          "resource": "helm-chart-version-label",
          "action": "delete"
        },
        {
          "resource":"*",
          "action":"*"
        }
      ]
    },
    {
      "kind":"system",
      "namespace":"*",
      "access":[
        {
          "resource":"*",
          "action":"*"
        }
      ]
    }
  ],
  "update_time": "2023-05-11T20:02:09.179Z",
  "description": null
}

Then I am trying to do a get to /api/v2.0/retentions/3 and the response is 403 forbidden.

[tj-macdonald]

@wy65701436 would you be able to help provide any insight?