Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Robot accounts still does not have full permissions #19792

Closed
Tim-herbie opened this issue Jan 4, 2024 · 4 comments · Fixed by #19799
Closed

Robot accounts still does not have full permissions #19792

Tim-herbie opened this issue Jan 4, 2024 · 4 comments · Fixed by #19799
Labels
area/access-control candidate/2.11.0 kind/bug kind/requirement New feature or idea on top of harbor

Comments

@Tim-herbie
Copy link

I created a new robot with full permission on system and project level and tested it with Terraform. It get much less errors like before, but I still get some errors. Is that expected?

Expected Behavior

I would expect that since this [issue
](https: //github.com//issues/8723) has been implemented, I would be able to manage all harbor terraform resources with the newly created robot-account with full permissions.

Current Behavior

I get the error message that robot accounts, harbor_config_auth and config_system cannot be edited with the robot account. In the following snippet, terraform would like to create an already existing robot-account (it exists and was created before with terraform).

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create

Terraform planned the following actions, but then encountered a problem:

  # module.projects.harbor_robot_account.robot_account[
    "robot-test"
] will be created
  + resource "harbor_robot_account""robot_account"{
      + disable   = false
      + duration  = -1
      + full_name = (known after apply)
      + id        = (known after apply)
      + level     = "system"
      + name      = "test"
      + robot_id  = (known after apply)
      + secret    = (sensitive value)

      + permissions {
          + kind      = "project"
          + namespace = "test"

          + access {
              + action   = "create"
              + effect   = "allow"
              + resource = "artifact-label"
        }
          + access {
              + action   = "create"
              + effect   = "allow"
              + resource = "tag"
        }
          + access {
              + action   = "list"
              + effect   = "allow"
              + resource = "artifact"
        }
          + access {
              + action   = "list"
              + effect   = "allow"
              + resource = "repository"
        }
          + access {
              + action   = "list"
              + effect   = "allow"
              + resource = "tag"
        }
          + access {
              + action   = "pull"
              + effect   = "allow"
              + resource = "repository"
        }
          + access {
              + action   = "push"
              + effect   = "allow"
              + resource = "repository"
        }
          + access {
              + action   = "read"
              + effect   = "allow"
              + resource = "artifact"
        }
    }
}

Plan: 1 to add,
0 to change,
0 to destroy.

Changes to Outputs:
  ~ robot_secrets = (sensitive value)
╷
│ Error: unexpected end of JSON input
│
│   with harbor_config_auth.oidc,
│   on oidc.tf line 1, in resource "harbor_config_auth""oidc":1: resource "harbor_config_auth""oidc"{
│
╵
╷
│ Error: Error getting system configuration unexpected end of JSON input
│
│   with harbor_config_system.config_system,
│   on system-configuration.tf line 1, in resource "harbor_config_system""config_system":1: resource "harbor_config_system""config_system"{
│
╵

Steps to Reproduce

  1. Create the following resources with the Terraform Harbor Provider and use the Admin Credentials:
  • harbor_config_system
  • harbor_config_auth
  • harbor_robot_account
  1. Create a full permission robot-account
  2. Change the credentials for the harbr terraform provider from the admin credentials into the robot-account credentials
  3. Do a "terraform apply"

Context

At the moment we use the admin credentials of Harbor to manage it with Terraform, but we would like to use a dedicated robot-account for it.

Your Environment

Harbor Server Version: v2.10.0-6abb4eab
Terraform version: Terraform v1.5.7
Harbor Terraform Provider: 3.10.5
@blancadesal
Copy link

Adding to this: according to the proposal, robot accounts were expected to be getting read permissions on quota in 2.10. It seems however like this wasn't implemented in the end. I've confirmed this by testing on my local 2.10 instance to make sure it wasn't just a case of forgetting to document it.

YangJiao0817 pushed a commit to YangJiao0817/harbor that referenced this issue Jan 5, 2024
Add quota permissions to robot account
d2853c7 
Fix goharbor#19792

Signed-off-by: Yang Jiao <[email protected]>
YangJiao0817 pushed a commit to YangJiao0817/harbor that referenced this issue Jan 5, 2024
Add quota permissions to robot account
ea2b45c 
Fix goharbor#19792

Signed-off-by: Yang Jiao <[email protected]>
@YangJiao0817 YangJiao0817 mentioned this issue Jan 5, 2024
Merged
5 tasks
YangJiao0817 pushed a commit to YangJiao0817/harbor that referenced this issue Jan 5, 2024
Add quota permissions to robot account
631747a 
Fix goharbor#19792

Signed-off-by: Yang Jiao <[email protected]>
@YangJiao0817 YangJiao0817 mentioned this issue Jan 5, 2024
Merged
5 tasks
YangJiao0817 pushed a commit to YangJiao0817/harbor that referenced this issue Jan 8, 2024
@YangJiao0817
Add quota permissions to robot account
48532d8 
Fix goharbor#19792

Signed-off-by: Yang Jiao <[email protected]>
YangJiao0817 added a commit that referenced this issue Jan 8, 2024
@YangJiao0817
Add quota permissions to robot account (#19799)
64a2296 
Fix #19792

Signed-off-by: Yang Jiao <[email protected]>
Co-authored-by: Yang Jiao <[email protected]>
YangJiao0817 added a commit that referenced this issue Jan 8, 2024
@YangJiao0817
[cherry-pick]Add quota permissions to robot account (#19800)
f62f04b 
Add quota permissions to robot account

Fix #19792

Signed-off-by: Yang Jiao <[email protected]>
Co-authored-by: Yang Jiao <[email protected]>
@rgarcia89
Copy link
Contributor

@YangJiao0817 I think you have skipped our request?

altynbaev pushed a commit to altynbaev/harbor that referenced this issue Jan 29, 2024
@YangJiao0817
Add quota permissions to robot account (goharbor#19799)
187bf3f 
Fix goharbor#19792

Signed-off-by: Yang Jiao <[email protected]>
Co-authored-by: Yang Jiao <[email protected]>
Signed-off-by: Altynbaev Dinislam <[email protected]>
@Forbzy
Copy link

Forbzy commented Feb 16, 2024

I've tested this on 2.10.0. It doesn't work. Still getting unauthorised.

@blancadesal
Copy link

I've tested this on 2.10.0. It doesn't work. Still getting unauthorised.

My understanding is that this patch will be part of the next release.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/access-control candidate/2.11.0 kind/bug kind/requirement New feature or idea on top of harbor
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add quota permissions to robot account YangJiao0817/harbor
5 participants
@Vad1mo @blancadesal @rgarcia89 @Tim-herbie @Forbzy