Unable to replicate between two harbor instances using robot account in harbor v.2.5

[olifur]

Expected behavior and actual behavior:
We want to replicate images between two separate harbor registries A,B using robot accounts (system accounts are not feasable for us). The robot account we created for replication on B has full permission in all namespaces.

As we are running harbor in enterprise we disabled "Project Creation" to "Everyone", only "Admin only" is allowed.
When we test the replication, it fails with the error message: 403 FORBIDDEN, only system admin can create project.
If we temporarily set "Project Creation" to "Everyone", replication works fine.
We want to make this work for "Project Creation" as "Admin only" .
In the following issue it is stated, that this feature (replication via robot account) should work with harbor v.2.4, see here . Here is another issue stating that it does not work in v.2.4 here.

Steps to reproduce the problem:

1. Have two seperate harbor registry instances A,B, create a robot account on registry B with full access to all namespaces and all permissions.
2. Create a registry instance called B on registry A with the robot account you created in the step before. Test the connection
3. Create a label and add it to an image in some project in A
4. Create a replication rule on A with push, select registry B, select a label to use, select all namespaces. Save rule
5. Set "Project Creation" to "Admin only"
6. run the replication, manually, it will fail with 403 FORBIDDEN
7. Change the "Project Creation" to "Everyone"
8. Run the replication again, result: all the images with the label you set before get replicated from A to B

Versions:

• harbor version: v2.5.0-98e1b82f
• docker engine version:20.10.14
• docker-compose version: 1.29.2, build 5becea4c

[wy65701436]

It is by designed. When you enable the system admin only, no one besides admin users can create project.

[olifur]

Hi,

Yes I understand the differentiation between everyone and system admins only and it makes sense to me.
But in our environment we need the possibility that:

only system admins can create projects (out of security reasons) AND robot accounts can create projects while used for replication (only).

Best, Oliver

[github-actions]

This issue is being marked stale due to a period of inactivity. If this issue is still relevant, please comment or remove the stale label. Otherwise, this issue will close in 30 days.

[alexanderdalloz]

@wy65701436 so what you are saying is that by design replication using system robot account requires you to first create the projects on the mirror side?
That's not documented on https://github.com/goharbor/harbor/wiki/How-to-do-replication-with-Robot-Account
Can someone please state whether this gets fixed is indeed a design decision?

[wy65701436]

@wy65701436 so what you are saying is that by design replication using system robot account requires you to first create the projects on the mirror side? That's not documented on https://github.com/goharbor/harbor/wiki/How-to-do-replication-with-Robot-Account Can someone please state whether this gets fixed is indeed a design decision?

I mean when you Set "Project Creation" to "Admin only", the failure scenario is by designed since robot cannot create projects for replication.

[ragarcia26]

@wy65701436 is the suggested path forward to set Project Creation to Everyone if you want a robot account to do replication? what are the alternatives? use an Admin user cli token as this issue suggests #16794 (comment) ? Is there any other suggestions or future work regarding support for Robot Accounts?