Make API Calls with Token/Robot Account to Harbor

[AlexBarth13]

Dear Harbor-Community,

We are using the Harbor registry in our company and we noticed, that API calls (GET, PUT and POST) are not working with unauthorized error message.
Our version is v2.4 and Harbor is secured by the company's OIDC and MFA solution.

During a test, were we wanted to create a robot account automatically we noticed this issue. To create the robot account, we have tried with the following credentials:

1. username:cli_secret
2. robot_account:secret
3. Solution 1 and Solution 2 from the FAQ: https://github.com/goharbor/harbor/wiki/Harbor-FAQs#api

Here is a example how we tried to call the API:

 curl -i -k -X 'POST' \
  'https://<FQDN>/api/v2.0/robots' \
  -v \
  -H 'accept: application/json' \
  -H 'Content-Type: application/json' \
  -H 'Authorization:  Bearer <TOKEN>' \
  -d '{
  "secret": "string",
  "disable": false,
  "name": "testing",
  "level": "system",
  "duration": -1,
  "description": "Created with API",
  "permissions": [
    {
      "access": [
        {
          "action": "create",
          "resource": "scan"
        }
      ],
      "kind": "project",
      "namespace": "*"
    }
  ]
}'

When we are using the credentials from 1. and 2. - either in plain text with curl -u or base64 encoded and as -H 'Authorization - we are facing this issue:

{"errors":[{"code":"UNAUTHORIZED","message":"unauthorized"}]}
* Connection #0 to host <host> left intact

We also get this message when we are creating the bearer token like it is mentioned in the FAQ solution 1.
When we tested the solution 2 in the FAQ, we are not seeing the needed _xsrf under Set-Cookies.

Furthermore, we tested the creation of robot accounts from the Swagger UI and this is working fine.

Currently we were not able to find the correct documentation, how we have to authenticate against the API to use it.

How are we able to authenticate correctly and make API calls to Harbor? Is there a solution to this?

Thanks a lot!

Alexander Barth ([email protected]) on behalf of Daimler TSS, Provider Information

[YangJiao0817]

The robot account does not have permission to create a robot account, you should use the correct account.

Here is an example of calling the API:

curl -i -k -X 'POST' \
 'https://<FQDN>/api/v2.0/robots' \
 -v \
 -H 'accept: application/json' \
 -H 'Content-Type: application/json' \
 -H 'Authorization: Basic <TOKEN>' \
 -d '{
 "secret": "string",
 "disable": false,
 "name": "testing",
 "level": "system",
 "duration": -1,
 "description": "Created with API",
 "permissions": [
   {
     "access": [
       {
         "action": "create",
         "resource": "scan"
       }
     ],
     "kind": "project",
     "namespace": "*"
   }
 ]
}'

or

curl -u 'username:password' -i -k -X 'POST' \
  'https://<FQDN>/api/v2.0/robots' \
  -v \
  -H 'accept: application/json' \
  -H 'Content-Type: application/json' \
  -d '{
  "secret": "string",
  "disable": false,
  "name": "testing",
  "level": "system",
  "duration": -1,
  "description": "Created with API",
  "permissions": [
    {
      "access": [
        {
          "action": "create",
          "resource": "scan"
        }
      ],
      "kind": "project",
      "namespace": "*"
    }
  ]
}'

[AlexBarth13]

Hi @YangJiao0817,
Thanks for the input!

Unfortunately, your first statement is not clear to me, how I get the TOKEN. How can this token be created?

curl -i -k -X 'POST'
'https://FQDN/api/v2.0/robots'
-v
-H 'accept: application/json'
-H 'Content-Type: application/json'
-H 'Authorization: Basic TOKEN'
-d '{
"secret": "string",
"disable": false,
"name": "testing",
"level": "system",
"duration": -1,
"description": "Created with API",
"permissions": [
{
"access": [
{
"action": "create",
"resource": "scan"
}
],
"kind": "project",
"namespace": "*"
}
]
}'

Furthermore, I have tested our second statements as well. As password I have used my CLI Secret, which is created for my user.

curl -u 'username:password' -i -k -X 'POST'
'https://FQDN/api/v2.0/robots'
-v
-H 'accept: application/json'
-H 'Content-Type: application/json'
-d '{
"secret": "string",
"disable": false,
"name": "testing",
"level": "system",
"duration": -1,
"description": "Created with API",
"permissions": [
{
"access": [
{
"action": "create",
"resource": "scan"
}
],
"kind": "project",
"namespace": "*"
}
]
}'

The output of this is still UNAUTHORIZED.
Also I can see this in our logs:

2022-03-01 17:51:29	
core.log
Mar  1 17:51:29 192.xxx.xxx.xxx core[4358]: 2022-03-01T16:51:29Z [ERROR] [/server/middleware/security/basic_auth.go:40][requestID="<ID>"]: failed to authenticate <USER>: not supported

2022-03-01 17:51:29	
proxy.log
Mar  1 17:51:29 192.xxx.xxx.xxx proxy[4358]: <IP> - "POST /api/v2.0/robots HTTP/1.1" 401 62 "-" "curl/7.68.0" 0.010 0.012 .

Thanks!



Alexander Barth ([email protected]) on behalf of Daimler TSS, Provider Information

[YangJiao0817]

@AlexBarth13 TOKEN can be obtained by base64 for example: echo -n 'username:password' | base64
The password here refers to the user password, which is the password for the user to log in to the UI interface.

[AlexBarth13]

@YangJiao0817 Thanks for the input! Now I was able to create a project in Harbor via curl command.
Unfortunately, the creation of an robot account is still not working. In the logs I still see the following:

Mar 10 17:38:26 <IP> core[2019]: 2022-03-10T16:38:26Z [ERROR] [/server/middleware/security/basic_auth.go:40][requestID="<ID>"]: failed to authenticate <USER>: not supported

I have used the following code:

curl -i -k -X 'POST' \
 'https://<URL>/api/v2.0/robots' \
 -v \
 -H 'accept: application/json' \
 -H 'Content-Type: application/json' \
 -H 'Authorization: Basic <TOKEN>' \
 -d '{
 "secret": "string",
 "disable": false,
 "name": "curl_testing",
 "level": "project",
 "duration": -1,
 "description": "Created with API",
 "permissions": [
   {
     "access": [
       {
         "action": "create",
         "resource": "scan"
       }
     ],
     "kind": "project",
     "namespace": "<NAME_OF_PROJECT>"
   }
 ]
}'

Thanks!



Alexander Barth ([email protected]) on behalf of Daimler TSS, Provider Information

[YangJiao0817]

@AlexBarth13 This is correct, because the robot account does not have permission to create project, you can view the permissions supported by the robot account on the Robot Accounts page.

[AlexBarth13]

@YangJiao0817 For calling the API we don't use an robot account. In all of my tests, I used my personal user + the CLI secret.
With these credentials we want to create e.g. a project and a robot account.
So far, we never used an robot account to call the API.

Thanks!



Alexander Barth ([email protected]) on behalf of Daimler TSS, Provider Information

[YangJiao0817]

@AlexBarth13 To create a project-level robot account, you need to have the project admin permission of the corresponding project or the account is an Administrator, please check your account permissions.

[AlexBarth13]

@YangJiao0817 In the project, where I tested, I am the project administrator. Furthermore, my user is Administrator on the platform.

[wy65701436]

@AlexBarth13 ,since the auth mode of your Harbor is OIDC, how did you make it success to create project with API call?

As for the OIDC mode, user has to use the token that returned by ID provider as the bearer token to call Harbor API, for how to get the token, you can ask for the admin of ID provider for help. And, usually, the experiation of token is about 30 mins if it is not be modified.

A alternative is to enable the debug log of Harbor core, you can get the raw token for it.

[AlexBarth13]

@wy65701436 Thanks a lot for your feedback!

since the auth mode of your Harbor is OIDC, how did you make it success to create project with API call?

We have used the username + the CLI secret, which I created to my user in the UI. With those credentials, it was working for me as an platform admin as well as for another customer, who is not an admin.

As for the OIDC mode, user has to use the token that returned by ID provider as the bearer token to call Harbor API, for how to get the token, you can ask for the admin of ID provider for help. And, usually, the experiation of token is about 30 mins if it is not be modified.

Thanks for this hint! I will check this within our company.

A alternative is to enable the debug log of Harbor core, you can get the raw token for it.
We already enabled the debug log of Harbor to get more information from the logs, why I will get an forbidden.

Is there any best practise or documentation about the use of the Harbor API?

Furthermore - as an information for you - we in the team started to make an overview of the complete APIs and created test cases to see, which API calls are working - anf if yes, how - or if they are not working. In case we will get some interesting output, I will paste it here.

Thanks again!



Alexander Barth ([email protected]) on behalf of Daimler TSS, Provider Information

[wy65701436]

@AlexBarth13 do you still have the problem?

[AlexBarth13]

Hi @wy65701436
Yes, this issue still exists that our customers are not able to make proper API calls. I also talked with @Vad1mo about a API concept for Harbor as per my understanding.
It would be great, if there would be a possibility to generate an API token (like in GitHub), which than can be used :)

Thanks a lot!



Alexander Barth ([email protected]) on behalf of Mercedes-Benz Tech Innovation GmbH, Provider Information

[github-actions]

This issue is being marked stale due to a period of inactivity. If this issue is still relevant, please comment or remove the stale label. Otherwise, this issue will close in 30 days.

[AlexBarth13]

Still an open topics and not yet solved...

[github-actions]

This issue is being marked stale due to a period of inactivity. If this issue is still relevant, please comment or remove the stale label. Otherwise, this issue will close in 30 days.

[AlexBarth13]

This is still open and needs to be addressed...



Alexander Barth ([email protected]) on behalf of Mercedes-Benz Tech Innovation GmbH, Provider Information

[github-actions]

This issue is being marked stale due to a period of inactivity. If this issue is still relevant, please comment or remove the stale label. Otherwise, this issue will close in 30 days.

[AlexBarth13]

Hi @wy65701436 and @Vad1mo!
This is still an open topic. Any ideas if and how a working API concept can/will be implemented?

Thanks!



Alexander Barth ([email protected]) on behalf of Mercedes-Benz Tech Innovation GmbH, Provider Information

[wy65701436]

@AlexBarth13 did you try the method as this comment mentioned? If it works at your side, we should file an doc ticket for this issue.

[github-actions]

This issue is being marked stale due to a period of inactivity. If this issue is still relevant, please comment or remove the stale label. Otherwise, this issue will close in 30 days.

[AlexBarth13]

This is still an open topic - removing stale label...

[github-actions]

This issue is being marked stale due to a period of inactivity. If this issue is still relevant, please comment or remove the stale label. Otherwise, this issue will close in 30 days.

[AlexBarth13]

This is still an open topic - removing stale label...

Alexander Barth ([email protected]) on behalf of Mercedes-Benz Tech Innovation GmbH, Provider Information

[github-actions]

This issue is being marked stale due to a period of inactivity. If this issue is still relevant, please comment or remove the stale label. Otherwise, this issue will close in 30 days.

[github-actions]

This issue was closed because it has been stalled for 30 days with no activity. If this issue is still relevant, please re-open a new issue.

[abdulsalamalmahdi]

curl -i -k -X 'POST' \ 
 'https://regiester.y.../api/v2.0/robots ' \
 -v \
 -H 'accept: application/json' \
 -H 'Content-Type: application/json' \
 -H 'Authorization: Basic  <base64 user:password encoded string>' \
 -d '{
 "secret": "secret",
  "disable": true,
  "name": "test-curl",
  "level": "system",
  "duration": 30,
  "description": "test curl with basic auth",
  "permissions": [
    {
      "access": [
        {
          "action": "create",
          "resource": "project",
          "effect": "allow"
        }
      ],
      "kind": "project",
      "namespace": "ns"
    }
  ]
}'

still does not work
{"errors":[{"code":"UNAUTHORIZED","message":"unauthorized"}]}