Harbor OIDC Admin Group Permission Problem

[Tim-herbie]

We are running Harbor in Kubernetes and using the OIDC Provider for Authentication. We defined a OIDC Admin Group in the Authentication Configuration. My OIDC User is Member of the Admin Group

When I try to access some specific resources via API/Curl with my OIDC User that is in the Admin Group, I get the message unauthorized back. But with my OIDC User, I can do everything in the harbor application (GUI).

I opened a issue in the harbor terraform provider before: goharbor/terraform-provider-harbor#328

Curl:

curl -X 'GET' \
  'https://harbor.domain.de/api/v2.0/retentions/39' \
  -H 'accept: application/json' \
  -H 'authorization: Basic my-generated-authorization-token'

Response:

{"errors":[{"code":"UNAUTHORIZED","message":"unauthorized"}]}

Expected behavior and actual behavior:
I expected that the OIDC Admin User with the CLI Secret has the equal permissions like the local admin user that I can use it with the API or for the Terraform harbor provider.
That my OIDC Admin User get a valid response via API/Curl.

Steps to reproduce the problem:

1. First, I used the CLI Secret from my user profile in harbor and put the CLI Secret and my username in the the "Authorize" field in the swagger API Page to get autorized.
2. Choose the API Call GET /retentions/{id} and put in a existing retention policy id.
3. Copy the generated Curl Command, paste it in your terminal and execute it

Versions:
Please specify the versions of following systems.

• harbor version: v2.8.0-89ef156d

[stonezdj]

Maybe something wrong with your Basic my-generated-authorization-token
Could you try this?

curl -X 'GET' \
  'https://harbor.de-cix.net/api/v2.0/retentions/39' \
  -H 'accept: application/json' \
  -u '<harbor_username>:<cli secret>'

see doc: https://goharbor.io/docs/1.10/administration/configure-authentication/oidc-auth/

[Tim-herbie]

Yeah sure. When I execute your Call command with my username and cli secret, I get the same message:
{"errors":[{"code":"UNAUTHORIZED","message":"unauthorized"}]}

I also re-generated the cli secret and uploaded a own one, but I am unauthorized as well.

When I replace the values with the local admin user, it works.

[YangJiao0817]

For OIDC user calling API, please refer to https://github.com/goharbor/harbor/wiki/Harbor-FAQs#api, but the best way to call API under OIDC authentication is to create a system-level robot account and use the robot account to call API.

[Tim-herbie]

@YangJiao0817 I created already a system-level robot account like described here #14145 (comment), but when I e.g. call the terraform harbor api with the username and secret of the robot-account, it does not work. I get UNAUTHORIZED and Resource not found Messages back.

[AllForNothing]

@Tim-herbie That API did you call? The API should be within the scope of the robot account's permission

[Tim-herbie]

I created the system-robot account and like described above and put the credentials in the terraform harbor provider. After that I run terraform plan and got the unauthorized and resource not found messages. The error messages are e.g. by retention policies or project_members

This is the json output from the robot-account:
[{"creation_time":"2023-05-31T06:32:31.419Z","description":"test","disable":false,"duration":30,"editable":true,"expires_at":1688106751,"id":33921,"level":"system","name":"robot$test","permissions":[{"access":[{"action":"create","resource":"project"}],"kind":"system","namespace":"/"}],"update_time":"2023-05-31T06:32:31.419Z"}]

At the moment, we are using the local admin account for the terraform api. But we would like to use a separate account like the robot-account or a oidc user, but both does not work at the moment.

[AllForNothing]

@Tim-herbie Looks like that your robot account does not contain retention policies or project_members permissions
Please refer to this file to manually add the permissions you want (You may need to update the permission by API call, Harbor UI only displays some key permissions)

[Tim-herbie]

@AllForNothing Okay, than I understood it wrong before.

When I look at your file, I would expect, that this should work, because * should match any resource types and also actions. Or have I to add permissions also for each project?

curl -X 'POST' \
  'https://harbor.domain.de/api/v2.0/robots' \
  -H 'accept: application/json' \
  -H 'authorization: Basic Tokenishere' \
  -H 'Content-Type: application/json' \
  -H 'X-Harbor-CSRF-Token: AnotherTokenishere \
  -d '{
  "secret": "mySuperTestSecret1!",
  "disable": false,
  "name": "test",
  "level": "system",
  "duration": 0,
  "description": "test",
  "permissions": [
    {
      "access": [
        {
          "action": "*",
          "resource": "*"
        }
      ],
      "kind": "system",
      "namespace": "/"
    }
  ]
}'

This Curl creates the Robot Account, but It does not change the errors when I call the API via Terraform with the credentials of the robot account:

harbor_username = "robot$test"
harbor_password = "mySuperTestSecret1!"

[AllForNothing]

Seems kind and namespace properties are wrong, Can you update them as below then try again?

[AllForNothing]

And also the "duration" should not be 0, you should set an integer or -1 for never expires

[Tim-herbie]

I changed that. Know it looks a little bit better. I can e.g. list projects or retention policies and the terraform plan has no errors anymore.

Is the robot account currently able to also create robot accounts? Either he is not able or the permission for that is missing. I am still looking for that. I can´t also list registries at the moment.

[Tim-herbie]

Okay, now it is a little bit weird for me :)

With that, I can e.g. list all projects, all registries, all robot-accounts, all retention-policies, but I can´t list one specific project with that command:

curl -X 'GET' \
  'https://harbor.domain.de/api/v2.0/projects/6' \
  -H 'accept: application/json' \
  -u 'robot$test:hereisthesecret'

Here is the currently Curl with the permissions to create the robot-account:

...
  -d '{
  "secret": "mySuperTestSecret1!",
  "disable": false,
  "name": "test",
  "level": "system",
  "duration": 0,
  "description": "test",
  "permissions": [
    {
      "access": [
        {
          "action": "*",
          "resource": "*"
        }
      ],
      "kind": "project",
      "namespace": "*"
    },
    {
      "access": [
        {
          "action": "*",
          "resource": "*"
        }
      ],
      "kind": "system",
      "namespace": "/"
    }
  ]
}'

I also added the repository into the permssions with "repository" "list" access, but it does not fix the problem

[Tim-herbie]

Okay... Now it will much more weird.

When I call the Curl command withaut any of authentication, exactly the code under here, then I get the right response:

curl -X 'GET' \
  'https://harbor.domain.de/api/v2.0/projects/6' \
  -H 'accept: application/json'

I don't think this should work, but it does.

[AllForNothing]

@Tim-herbie
Is the robot account currently able to also create robot accounts?

Yes, robots can create robots.

I can´t also list registries at the moment:

{ "action": "*", "resource": "*" } , does not mean all permissions, and we have not tested it.

When I call the Curl command withaut any of authentication, exactly the code under here, then I get the right response:

Is it a public project? for a public project, no auth is required for this API

[Tim-herbie]

@AllForNothing Yes, we have only public projects.
I added all permissions for projects, robots and repositories:

{
  "secret": "",
  "disable": false,
  "name": "test",
  "level": "system",
  "duration": -1,
  "description": "test",
  "permissions": [
    {
      "access": [
        {
          "action": "list",
          "resource": "member"
        },
        {
          "action": "read",
          "resource": "member"
        },
        {
          "action": "create",
          "resource": "member"
        },
        {
          "action": "delete",
          "resource": "member"
        },
        {
          "action": "update",
          "resource": "member"
        },
        {
          "action": "list",
          "resource": "repository"
        },
        {
          "action": "read",
          "resource": "repository"
        },
        {
          "action": "delete",
          "resource": "repository"
        },
        {
          "action": "update",
          "resource": "repository"
        },
        {
          "action": "pull",
          "resource": "repository"
        },
        {
          "action": "push",
          "resource": "repository"
        },
        {
          "action": "list",
          "resource": "robot"
        },
        {
          "action": "read",
          "resource": "robot"
        },
        {
          "action": "create",
          "resource": "robot"
        },
        {
          "action": "delete",
          "resource": "robot"
        },
        {
          "action": "update",
          "resource": "robot"
        },
        {
          "action": "list",
          "resource": "project"
        },
        {
          "action": "read",
          "resource": "project"
        },
        {
          "action": "create",
          "resource": "project"
        },
        {
          "action": "delete",
          "resource": "project"
        },
        {
          "action": "update",
          "resource": "project"
        }
      ],
      "kind": "project",
      "namespace": "*"
    },
    {
      "access": [
        {
          "action": "list",
          "resource": "registry"
        },
        {
          "action": "read",
          "resource": "registry"
        },
        {
          "action": "create",
          "resource": "registry"
        },
        {
          "action": "delete",
          "resource": "registry"
        },
        {
          "action": "update",
          "resource": "registry"
        },
        {
          "action": "list",
          "resource": "project"
        },
        {
          "action": "create",
          "resource": "project"
        }
      ],
      "kind": "system",
      "namespace": "/"
    }
  ]
}'

When I try the curl again, it does not work. It works without authentication, but when I add them it does not work anymore.

curl -X 'GET' \ 
  'https://harbor.domain.de/api/v2.0/projects/6' \
  -H 'accept: application/json' \
  -u 'robot$test:secret'
{"errors":[{"code":"FORBIDDEN","message":"forbidden"}]}

When I use the local admin user, it works! So there must be a permissions problem.

[Tim-herbie]

@AllForNothing ping

[AllForNothing]

@Tim-herbie
I had a try just now, it workes fine, the robot is as below:
[{"creation_time":"2023-06-14T08:24:08.854Z","disable":false,"duration":30,"editable":true,"expires_at":1689323048,"id":2,"level":"system","name":"robot$test", "permissions":[ {"access":[ {"action":"read","resource":"project"} ], "kind":"project","namespace":"*"}],"update_time":"2023-06-14T08:24:40.138Z"}]
it seems your robot permission Array is incorrect.

We have only tested the permissions that display on the UI. For other permissions, they should be available in theory, but we have not tested it, you need to test it yourself

[Tim-herbie]

@AllForNothing I can also create the robot account, but the robot has not permissions to list the projects. When I only add the permissions for the kind project, it works.

It seems not to work to assign project and system level permissions to the robot account. That could be the problem. This happens also to me: https://github.com/goharbor/harbor/issues/14145#issuecomment-825465502

[AllForNothing]

I'm closing this issue, as it's not a bug currently. If needed, please open another issue as the feature request.
Here is a PR from the community, you can refer to this.
And we have added the enhancement for the robot account to the plan for v2.10

[Tim-herbie]

Okay, I saw that here is a existing merge request https://github.com/goharbor/harbor/pull/18724, that hopefully provide the full permissions to the robot account.

But I will create a feature request that the CLI Secret from a OIDC User have the same permissions as the OIDC User itself.