Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Different API behavior in Harbor version 2.9 vs. prior versions: Users with limited_guest role are not able to query the repository endpoint by id #19709

Closed
Vad1mo opened this issue Dec 13, 2023 · 4 comments · Fixed by #19757
Closed

Different API behavior in Harbor version 2.9 vs. prior versions: Users with limited_guest role are not able to query the repository endpoint by id #19709

Vad1mo opened this issue Dec 13, 2023 · 4 comments · Fixed by #19757
Assignees
@YangJiao0817
Labels
kind/bug needs/follow-up needs/test-case target/2.9.2 target/2.10.1

Comments

@Vad1mo
Copy link
Member

Vad1mo commented Dec 13, 2023

Expected behavior and actual behavior:
Users with limited_guest role are not able to query the repository endpoint by id in Version 2.9, this was different in 2.8 and prior down to 2.4

Log output for Version 2.9.1

The last two lines:

2023-12-12T14:00:44Z [DEBUG] [/server/middleware/security/idtoken.go:67][requestID="585c9d98-4c29-4d9b-82e6-c0109053ab19"]: an ID token security context generated for request GET /api/v2.0/projects/adv-test123/repositories/centos
2023/12/12 14:00:44 Model:
2023/12/12 14:00:44 m.m: g(r_sub, p_sub) && keyMatch2(r_obj, p_obj) && (r_act == p_act || p_act == '*')
2023/12/12 14:00:44 g.g: _, _
2023/12/12 14:00:44 r.r: sub, obj, act
2023/12/12 14:00:44 p.p: sub, obj, act, eft
2023/12/12 14:00:44 e.e: some(where (p_eft == allow)) && !some(where (p_eft == deny))
2023/12/12 14:00:44 Policy:
2023/12/12 14:00:44 p: sub, obj, act, eft: [[limitedGuest /project/10 read allow] [limitedGuest /project/10/quota read allow] [limitedGuest /project/10/repository list allow] [limitedGuest /project/10/repository pull allow] [limitedGuest /project/10/configuration read allow] [limitedGuest /project/10/scan read allow] [limitedGuest /project/10/scanner read allow] [limitedGuest /project/10/tag list allow] [limitedGuest /project/10/accessory list allow] [limitedGuest /project/10/artifact read allow] [limitedGuest /project/10/artifact list allow] [limitedGuest /project/10/artifact-addition read allow]]
2023/12/12 14:00:44 g: _, _: [[[email protected] limitedGuest]]
2023/12/12 14:00:44 Role links for: g
2023/12/12 14:00:44 [email protected] < limitedGuest
2023/12/12 14:00:44 Request: [email protected], /project/10/repository, read ---> false
2023-12-12T14:00:44Z [DEBUG] [/lib/http/error.go:62]: {"errors":[{"code":"FORBIDDEN","message":"forbidden"}]}

Log output for 2.7.1

2023-12-12T14:27:13Z [DEBUG] [/pkg/oidc/helper.go:414]: populateGroupsDB, group filter
2023-12-12T14:27:13Z [DEBUG] [/server/middleware/security/idtoken.go:67][requestID="396f796d-bfb5-4619-a2c5-a51fb3c65e7c"]: an ID token security context generated for request GET /api/v2.0/projects/adv-test/repositories/fluent
2023/12/12 14:27:13 Model:
2023/12/12 14:27:13 e.e: some(where (p_eft == allow)) && !some(where (p_eft == deny))
2023/12/12 14:27:13 m.m: g(r_sub, p_sub) && keyMatch2(r_obj, p_obj) && (r_act == p_act || p_act == '*')
2023/12/12 14:27:13 g.g: _, _
2023/12/12 14:27:13 r.r: sub, obj, act
2023/12/12 14:27:13 p.p: sub, obj, act, eft
2023/12/12 14:27:13 Policy:
2023/12/12 14:27:13 p: sub, obj, act, eft: [[limitedGuest /project/6 read allow] [limitedGuest /project/6/quota read allow] [limitedGuest /project/6/repository list allow] [limitedGuest /project/6/repository pull allow] [limitedGuest /project/6/helm-chart read allow] [limitedGuest /project/6/helm-chart list allow] [limitedGuest /project/6/helm-chart-version read allow] [limitedGuest /project/6/helm-chart-version list allow] [limitedGuest /project/6/configuration read allow] [limitedGuest /project/6/scan read allow] [limitedGuest /project/6/scanner read allow] [limitedGuest /project/6/tag list allow] [limitedGuest /project/6/accessory list allow] [limitedGuest /project/6/artifact read allow] [limitedGuest /project/6/artifact list allow] [limitedGuest /project/6/artifact-addition read allow]]
2023/12/12 14:27:13 g: _, _: [[[email protected] limitedGuest]]
2023/12/12 14:27:13 Role links for: g
2023/12/12 14:27:13 [email protected] < limitedGuest
2023/12/12 14:27:13 Request: [email protected], /project/6/repository, list ---> true
2023-12-12T14:27:16Z [DEBUG] [/pkg/config/manager.go:140]: failed to get key oidc_group_filter, error: the configure value is not set, maybe default value n

Steps to reproduce the problem:
create a user with the permission of the limitued_guest,
Make curl request with GET /api/v2.0/projects/library/repositories/image

Versions:
2.9.1  ❌
<2.8.1 ✅

Additional context:

In my opinion it makes sense for limited user bing able to list repository.
@stonezdj
Copy link
Contributor

sees related to b021dbd

@wy65701436
Copy link
Contributor

@YangJiao0817 please help to add a breaking change in the release notes.

@YangJiao0817
Copy link
Member

Harbor v2.9.0 release notes updated.
https://github.com/goharbor/harbor/releases/tag/v2.9.0

@zyyw zyyw mentioned this issue Dec 26, 2023
Merged
5 tasks
@Vad1mo
Copy link
Member Author

Vad1mo commented Jan 1, 2024

related to #18188

This was referenced Jan 8, 2024
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@YangJiao0817 YangJiao0817

Labels
kind/bug needs/follow-up needs/test-case target/2.9.2 target/2.10.1
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

add repository read permission to limitedGuest container-registry/harbor
5 participants
@Vad1mo @stonezdj @wy65701436 @zyyw @YangJiao0817