New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Harbor OIDC Admin Group Permission Problem #18730
Comments
Maybe something wrong with your
see doc: https://goharbor.io/docs/1.10/administration/configure-authentication/oidc-auth/ |
Yeah sure. When I execute your Call command with my username and cli secret, I get the same message: I also re-generated the cli secret and uploaded a own one, but I am When I replace the values with the local admin user, it works. |
For OIDC user calling API, please refer to https://github.com/goharbor/harbor/wiki/Harbor-FAQs#api, but the best way to call API under OIDC authentication is to create a system-level robot account and use the robot account to call API. |
@YangJiao0817 I created already a system-level robot account like described here #14145 (comment), but when I e.g. call the terraform harbor api with the username and secret of the robot-account, it does not work. I get |
@Tim-herbie That API did you call? The API should be within the scope of the robot account's permission |
I created the system-robot account and like described above and put the credentials in the terraform harbor provider. After that I run This is the json output from the robot-account: At the moment, we are using the local admin account for the terraform api. But we would like to use a separate account like the robot-account or a oidc user, but both does not work at the moment. |
@Tim-herbie Looks like that your robot account does not contain |
@AllForNothing Okay, than I understood it wrong before. When I look at your file, I would expect, that this should work, because curl -X 'POST' \
'https://harbor.domain.de/api/v2.0/robots' \
-H 'accept: application/json' \
-H 'authorization: Basic Tokenishere' \
-H 'Content-Type: application/json' \
-H 'X-Harbor-CSRF-Token: AnotherTokenishere \
-d '{
"secret": "mySuperTestSecret1!",
"disable": false,
"name": "test",
"level": "system",
"duration": 0,
"description": "test",
"permissions": [
{
"access": [
{
"action": "*",
"resource": "*"
}
],
"kind": "system",
"namespace": "/"
}
]
}' This Curl creates the Robot Account, but It does not change the errors when I call the API via Terraform with the credentials of the robot account:
|
And also the "duration" should not be 0, you should set an integer or -1 for never expires |
I changed that. Know it looks a little bit better. I can e.g. list projects or retention policies and the terraform plan has no errors anymore. Is the robot account currently able to also create robot accounts? Either he is not able or the permission for that is missing. I am still looking for that. I can´t also list registries at the moment. |
Okay, now it is a little bit weird for me :) With that, I can e.g. list all projects, all registries, all robot-accounts, all retention-policies, but I can´t list one specific project with that command:
Here is the currently Curl with the permissions to create the robot-account:
I also added the repository into the permssions with "repository" "list" access, but it does not fix the problem |
Okay... Now it will much more weird. When I call the Curl command withaut any of authentication, exactly the code under here, then I get the right response:
I don't think this should work, but it does. |
@Tim-herbie Yes, robots can create robots.
Is it a public project? for a public project, no auth is required for this API |
@AllForNothing Yes, we have only public projects.
When I try the curl again, it does not work. It works without authentication, but when I add them it does not work anymore.
When I use the local admin user, it works! So there must be a permissions problem. |
@AllForNothing ping |
@Tim-herbie We have only tested the permissions that display on the UI. For other permissions, they should be available in theory, but we have not tested it, you need to test it yourself |
@AllForNothing I can also create the robot account, but the robot has not permissions to list the projects. When I only add the permissions for the kind project, it works. It seems not to work to assign project and system level permissions to the robot account. That could be the problem. This happens also to me: https://github.com/goharbor/harbor/issues/14145#issuecomment-825465502 |
I'm closing this issue, as it's not a bug currently. If needed, please open another issue as the feature request. |
Okay, I saw that here is a existing merge request https://github.com/goharbor/harbor/pull/18724, that hopefully provide the full permissions to the robot account. But I will create a feature request that the CLI Secret from a OIDC User have the same permissions as the OIDC User itself. |
We are running Harbor in Kubernetes and using the OIDC Provider for Authentication. We defined a OIDC Admin Group in the Authentication Configuration. My OIDC User is Member of the Admin Group
When I try to access some specific resources via API/Curl with my OIDC User that is in the Admin Group, I get the message
unauthorized
back. But with my OIDC User, I can do everything in the harbor application (GUI).I opened a issue in the harbor terraform provider before: goharbor/terraform-provider-harbor#328
Curl:
Response:
Expected behavior and actual behavior:
I expected that the OIDC Admin User with the CLI Secret has the equal permissions like the local admin user that I can use it with the API or for the Terraform harbor provider.
That my OIDC Admin User get a valid response via API/Curl.
Steps to reproduce the problem:
GET /retentions/{id}
and put in a existing retention policy id.Versions:
Please specify the versions of following systems.
The text was updated successfully, but these errors were encountered: