Token generated with higher access rights than requested

[mlacko64]

If you are reporting a problem, please make sure the following information are provided:

Expected behavior and actual behavior:
Token generation seems to be ignoring access righs limitation in request. In example below I requested just pull permissions, but as request was made with admin user, I received also push and delete rights.

I expect to receive just permissions I requested.

Steps to reproduce the problem:
Please provide the steps to reproduce this problem.

Token request:

curl -k -X GET -H "Authorization: Basic mybasicstringhere" 'https://10.242.0.37:5443/service/token?service=harbor-registry&scope=repository:ocp-mirror/oc-mirror-metadata:pull'
{"token":"myloooooongtokenhere","access_token":"","expires_in":1800,"issued_at":"2024-04-05T07:41:16Z"}

When I decoded token with jwt-decode.payload , it shows delete, pull and push permissions.

  "access": [
    {
      "type": "repository",
      "name": "ocp-mirror/oc-mirror-metadata",
      "actions": [
        "delete",
        "pull",
        "push"
      ]
    }
  ]

Versions:
Please specify the versions of following systems.

• harbor version: v2.10.1
• docker engine version: 24.0.5
• docker-compose version: 1.29.2

Additional context:

• Harbor config files: You can get them by packaging harbor.yml and files in the same directory, including subdirectory.
• Log files: You can get them by package the /var/log/harbor/ .

[MinerYang]

Did you request the token with admin privilege ?

[mlacko64]

I used default admin account created during Harbor installation
I requested just pull permission to one project scope=repository:ocp-mirror/oc-mirror-metadata:pull

[MinerYang]

Admin would have full access of projects/repository regardless of permissions you requested.

[mlacko64]

so it a feature, thanks for explanation