Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Different API behavior in Harbor version 2.9 vs. prior versions: Users with limited_guest role are not able to query the repository endpoint by id #19709

Closed
Vad1mo opened this issue Dec 13, 2023 · 4 comments · Fixed by #19757

Comments

@Vad1mo
Copy link
Member

Vad1mo commented Dec 13, 2023

Expected behavior and actual behavior:
Users with limited_guest role are not able to query the repository endpoint by id in Version 2.9, this was different in 2.8 and prior down to 2.4

Log output for Version 2.9.1

The last two lines:

2023-12-12T14:00:44Z [DEBUG] [/server/middleware/security/idtoken.go:67][requestID="585c9d98-4c29-4d9b-82e6-c0109053ab19"]: an ID token security context generated for request GET /api/v2.0/projects/adv-test123/repositories/centos
2023/12/12 14:00:44 Model:
2023/12/12 14:00:44 m.m: g(r_sub, p_sub) && keyMatch2(r_obj, p_obj) && (r_act == p_act || p_act == '*')
2023/12/12 14:00:44 g.g: _, _
2023/12/12 14:00:44 r.r: sub, obj, act
2023/12/12 14:00:44 p.p: sub, obj, act, eft
2023/12/12 14:00:44 e.e: some(where (p_eft == allow)) && !some(where (p_eft == deny))
2023/12/12 14:00:44 Policy:
2023/12/12 14:00:44 p: sub, obj, act, eft: [[limitedGuest /project/10 read allow] [limitedGuest /project/10/quota read allow] [limitedGuest /project/10/repository list allow] [limitedGuest /project/10/repository pull allow] [limitedGuest /project/10/configuration read allow] [limitedGuest /project/10/scan read allow] [limitedGuest /project/10/scanner read allow] [limitedGuest /project/10/tag list allow] [limitedGuest /project/10/accessory list allow] [limitedGuest /project/10/artifact read allow] [limitedGuest /project/10/artifact list allow] [limitedGuest /project/10/artifact-addition read allow]]
2023/12/12 14:00:44 g: _, _: [[[email protected] limitedGuest]]
2023/12/12 14:00:44 Role links for: g
2023/12/12 14:00:44 [email protected] < limitedGuest
2023/12/12 14:00:44 Request: [email protected], /project/10/repository, read ---> false
2023-12-12T14:00:44Z [DEBUG] [/lib/http/error.go:62]: {"errors":[{"code":"FORBIDDEN","message":"forbidden"}]}

Log output for 2.7.1

2023-12-12T14:27:13Z [DEBUG] [/pkg/oidc/helper.go:414]: populateGroupsDB, group filter
2023-12-12T14:27:13Z [DEBUG] [/server/middleware/security/idtoken.go:67][requestID="396f796d-bfb5-4619-a2c5-a51fb3c65e7c"]: an ID token security context generated for request GET /api/v2.0/projects/adv-test/repositories/fluent
2023/12/12 14:27:13 Model:
2023/12/12 14:27:13 e.e: some(where (p_eft == allow)) && !some(where (p_eft == deny))
2023/12/12 14:27:13 m.m: g(r_sub, p_sub) && keyMatch2(r_obj, p_obj) && (r_act == p_act || p_act == '*')
2023/12/12 14:27:13 g.g: _, _
2023/12/12 14:27:13 r.r: sub, obj, act
2023/12/12 14:27:13 p.p: sub, obj, act, eft
2023/12/12 14:27:13 Policy:
2023/12/12 14:27:13 p: sub, obj, act, eft: [[limitedGuest /project/6 read allow] [limitedGuest /project/6/quota read allow] [limitedGuest /project/6/repository list allow] [limitedGuest /project/6/repository pull allow] [limitedGuest /project/6/helm-chart read allow] [limitedGuest /project/6/helm-chart list allow] [limitedGuest /project/6/helm-chart-version read allow] [limitedGuest /project/6/helm-chart-version list allow] [limitedGuest /project/6/configuration read allow] [limitedGuest /project/6/scan read allow] [limitedGuest /project/6/scanner read allow] [limitedGuest /project/6/tag list allow] [limitedGuest /project/6/accessory list allow] [limitedGuest /project/6/artifact read allow] [limitedGuest /project/6/artifact list allow] [limitedGuest /project/6/artifact-addition read allow]]
2023/12/12 14:27:13 g: _, _: [[[email protected] limitedGuest]]
2023/12/12 14:27:13 Role links for: g
2023/12/12 14:27:13 [email protected] < limitedGuest
2023/12/12 14:27:13 Request: [email protected], /project/6/repository, list ---> true
2023-12-12T14:27:16Z [DEBUG] [/pkg/config/manager.go:140]: failed to get key oidc_group_filter, error: the configure value is not set, maybe default value n

Steps to reproduce the problem:
create a user with the permission of the limitued_guest,
Make curl request with GET /api/v2.0/projects/library/repositories/image

Versions:
2.9.1  ❌
<2.8.1 ✅

Additional context:

In my opinion it makes sense for limited user bing able to list repository.

@stonezdj
Copy link
Contributor

sees related to b021dbd

@wy65701436
Copy link
Contributor

@YangJiao0817 please help to add a breaking change in the release notes.

@YangJiao0817
Copy link
Member

Harbor v2.9.0 release notes updated.
https://github.com/goharbor/harbor/releases/tag/v2.9.0

@Vad1mo
Copy link
Member Author

Vad1mo commented Jan 1, 2024

related to #18188

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging a pull request may close this issue.

5 participants