harbor icon indicating copy to clipboard operation
harbor copied to clipboard

Published 20 hours ago verified publisher icon goharbor

Catalog Listing not working with Bearer Token. Error receiving 401 unauthorised

Open Hiten11 opened this issue 4 years ago • 9 comments

I am not able to do catalog listing using Bearer token. Below are the operations performed.

root@ip-10-90-3-18:/home/ubuntu/harbor# docker --version Docker version 19.03.11, build 42e35e61f3 root@ip-10-90-3-18:/home/ubuntu/harbor# docker-compose --version docker-compose version 1.26.0, build d4451659

Request to get the token: curl -k -v -u 'admin:Harbor12345' http://<harbor registry server>/service/token?service=harbor-registry&scope=registry:catalog:* Response 1] 23529 [root@localhost ~ ] * About to connect() to <harbor registry server> port 80 (#0)

  • Trying ......
  • Connected to <harbor registry server> (...) port 80 (#0)
  • Server auth using Basic with user 'admin'

GET /service/token?service=harbor-registry HTTP/1.1 Authorization: Basic YWRtaW46SGFyYm9yMTIzNDU= User-Agent: curl/7.29.0 Host: <harbor registry server> Accept: /

< HTTP/1.1 200 OK < Server: nginx < Date: Mon, 23 Nov 2020 08:39:47 GMT < Content-Type: application/json; charset=utf-8 < Content-Length: 1122 < Connection: keep-alive < Set-Cookie: sid=d52190099e5a2a55de383e3ec4407aad; Path=/; HttpOnly < X-Request-Id: a190671a-6d52-4a90-8022-8762b8843d0f < X-Frame-Options: DENY < Content-Security-Policy: frame-ancestors 'none' < { "token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IkJQRkY6SzVGNDpSTE1YOkZPS0o6NUVVUjpIQUJFOlhSTDU6QUxJWjpOWFFSOkI2UVQ6UE9ETzo0S0FBIn0.eyJpc3MiOiJoYXJib3ItdG9rZW4taXNzdWVyIiwic3ViIjoiYWRtaW4iLCJhdWQiOiJoYXJib3ItcmVnaXN0cnkiLCJleHAiOjE2MDYxMjI1ODcsIm5iZiI6MTYwNjEyMDc4NywiaWF0IjoxNjA2MTIwNzg3LCJqdGkiOiJoc0ZxeEdUOURSOHRpRThFIiwiYWNjZXNzIjpudWxsfQ.jbjwcV2yEnxALMCdifm_CfZM6lmbY4BrjUjjBnkn4hDdflOkZ-H-dyJMm3P2f-dXhCihkE-bjFiJg8GJap_Q3Hrgdlh4FEQwepiETviSX4NHFd6IQU-GX_FQghlft9ZXaJS6yznEXi9OGcEVxceWqnB-QjVmGkTlBaObeYV9lyHPjo-4ttSW-MyCxFhsSubnGoXJH2brt7-vk8tOKcVtXkno-w7do5rxJLJEAVzZM2RLq3AKcDLrfgAHhqbHZDe1kfbw5jSBNfNS0A2r-dt-MDZv4jc7fUqBBKf2lrDbZr0GhADGd6TYZDhnZQ-bwXMpHKD9Gj3KhGWgnBsndwUzvCYwAz4P5KijZ4f1aNo1ikj0N62otTrSSzFtGDOy8wRlo8Lm0zYgeFTdWZh4m0UsqrlDNW57_gO2vO6ztu57k5rVvAoZuMQqhCauBWVinYkeCpMQxkQTyzEOYGhtEEr97tASGD3XOQ7TmZgICdT8xLzm-15QJMtvxzHzdNtOk2U5fQQwECch-dM3eWiH9kGXzOPGl-7MK7eQAoxfyOIAFITjzgzevDLFNHlDqc1Bfxa2-O_F7k9IJry0jk_2-EQru3DOaDI7TNOcxXUG83HXvMzQIC9G-O2oPE_umi2linLMFzghvXIJX_F8lWBnhP5qIKMMtl1svDdveT-G-F2jD6s", "access_token": "", "expires_in": 1800, "issued_at": "2020-11-23T08:39:47Z" Connection #0 to host <harbor registry server> left intact

Now setting the TOKEN to a token value. [root@localhost ~ ] TOKEN=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IkJQRkY6SzVGNDpSTE1YOkZPS0o6NUVVUjpIQUJFOlhSTDU6QUxJWjpOWFFSOkI2UVQ6UE9ETzo0S0FBIn0.eyJpc3MiOiJoYXJib3ItdG9rZW4taXNzdWVyIiwic3ViIjoiYWRtaW4iLCJhdWQiOiJoYXJib3ItcmVnaXN0cnkiLCJleHAiOjE2MDYxMjI1ODcsIm5iZiI6MTYwNjEyMDc4NywiaWF0IjoxNjA2MTIwNzg3LCJqdGkiOiJoc0ZxeEdUOURSOHRpRThFIiwiYWNjZXNzIjpudWxsfQ.jbjwcV2yEnxALMCdifm_CfZM6lmbY4BrjUjjBnkn4hDdflOkZ-H-dyJMm3P2f-dXhCihkE-bjFiJg8GJap_Q3Hrgdlh4FEQwepiETviSX4NHFd6IQU-GX_FQghlft9ZXaJS6yznEXi9OGcEVxceWqnB-QjVmGkTlBaObeYV9lyHPjo-4ttSW-MyCxFhsSubnGoXJH2brt7-vk8tOKcVtXkno-w7do5rxJLJEAVzZM2RLq3AKcDLrfgAHhqbHZDe1kfbw5jSBNfNS0A2r-dt-MDZv4jc7fUqBBKf2lrDbZr0GhADGd6TYZDhnZQ-bwXMpHKD9Gj3KhGWgnBsndwUzvCYwAz4P5KijZ4f1aNo1ikj0N62otTrSSzFtGDOy8wRlo8Lm0zYgeFTdWZh4m0UsqrlDNW57_gO2vO6ztu57k5rVvAoZuMQqhCauBWVinYkeCpMQxkQTyzEOYGhtEEr97tASGD3XOQ7TmZgICdT8xLzm-15QJMtvxzHzdNtOk2U5fQQwECch-dM3eWiH9kGXzOPGl-7MK7eQAoxfyOIAFITjzgzevDLFNHlDqc1Bfxa2-O_F7k9IJry0jk_2-EQru3DOaDI7TNOcxXUG83HXvMzQIC9G-O2oPE_umi2linLMFzghvXIJX_F8lWBnhP5qIKMMtl1svDdveT-G-F2jD6s

Command to do the catalog listing [root@localhost ~ ] curl -v -k -H "Authorization: Bearer $TOKEN" http://<harbor registry server>/v2/_catalog* About to connect() to <harbor registry server> port 80 (#0)

  • Trying ......
  • Connected to <harbor registry server> (...) port 80 (#0)

GET /v2/_catalog HTTP/1.1 User-Agent: curl/7.29.0 Host: <harbor registry server> Accept: / Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IkJQRkY6SzVGNDpSTE1YOkZPS0o6NUVVUjpIQUJFOlhSTDU6QUxJWjpOWFFSOkI2UVQ6UE9ETzo0S0FBIn0.eyJpc3MiOiJoYXJib3ItdG9rZW4taXNzdWVyIiwic3ViIjoiYWRtaW4iLCJhdWQiOiJoYXJib3ItcmVnaXN0cnkiLCJleHAiOjE2MDYxMjI1ODcsIm5iZiI6MTYwNjEyMDc4NywiaWF0IjoxNjA2MTIwNzg3LCJqdGkiOiJoc0ZxeEdUOURSOHRpRThFIiwiYWNjZXNzIjpudWxsfQ.jbjwcV2yEnxALMCdifm_CfZM6lmbY4BrjUjjBnkn4hDdflOkZ-H-dyJMm3P2f-dXhCihkE-bjFiJg8GJap_Q3Hrgdlh4FEQwepiETviSX4NHFd6IQU-GX_FQghlft9ZXaJS6yznEXi9OGcEVxceWqnB-QjVmGkTlBaObeYV9lyHPjo-4ttSW-MyCxFhsSubnGoXJH2brt7-vk8tOKcVtXkno-w7do5rxJLJEAVzZM2RLq3AKcDLrfgAHhqbHZDe1kfbw5jSBNfNS0A2r-dt-MDZv4jc7fUqBBKf2lrDbZr0GhADGd6TYZDhnZQ-bwXMpHKD9Gj3KhGWgnBsndwUzvCYwAz4P5KijZ4f1aNo1ikj0N62otTrSSzFtGDOy8wRlo8Lm0zYgeFTdWZh4m0UsqrlDNW57_gO2vO6ztu57k5rVvAoZuMQqhCauBWVinYkeCpMQxkQTyzEOYGhtEEr97tASGD3XOQ7TmZgICdT8xLzm-15QJMtvxzHzdNtOk2U5fQQwECch-dM3eWiH9kGXzOPGl-7MK7eQAoxfyOIAFITjzgzevDLFNHlDqc1Bfxa2-O_F7k9IJry0jk_2-EQru3DOaDI7TNOcxXUG83HXvMzQIC9G-O2oPE_umi2linLMFzghvXIJX_F8lWBnhP5qIKMMtl1svDdveT-G-F2jD6s

< HTTP/1.1 401 Unauthorized < Server: nginx < Date: Mon, 23 Nov 2020 08:45:52 GMT < Content-Type: application/json; charset=utf-8 < Content-Length: 108 < Connection: keep-alive < Docker-Distribution-Api-Version: registry/2.0 < Set-Cookie: sid=7657dcb0d2bdfd962d25995ec4bb11ed; Path=/; HttpOnly < Www-Authenticate: Basic realm="harbor" < X-Request-Id: db841f81-a1ff-4498-8387-980de1282433 < {"errors":[{"code":"UNAUTHORIZED","message":"unauthorized to list catalog: unauthorized to list catalog"}]}

  • Connection #0 to host <harbor registry server> left intact

Hiten11 avatar Nov 23 '20 08:11 Hiten11

Could you try to quota the URL because there is a & in the query string.

curl -k -v -u 'admin:Harbor12345' 'http://<harbor registry server>/service/token?service=harbor-registry&scope=registry:catalog:*' this will get the bearer token with scope registry:catalog:*.

The /v2 APIs support basic authorization from v2.0. You can try it to call the catalog API.

heww avatar Nov 30 '20 08:11 heww

Could you try to quota the URL because there is a & in the query string.

curl -k -v -u 'admin:Harbor12345' 'http://<harbor registry server>/service/token?service=harbor-registry&scope=registry:catalog:*' this will get the bearer token with scope registry:catalog:*.

The /v2 APIs support basic authorization from v2.0. You can try it to call the catalog API.

"He Weiwei" thank you for your reply. I tried your suggestion. I still gives the same result. "unauthorized to list catalog". I tried both single quote and double quote in the URL. No change in the result.

Hiten11 avatar Dec 01 '20 03:12 Hiten11

Emm, /v2/_catalog not support the bearer token currently, please use the basic authorization to request this API.

BTW, all v2 APIs support basic authorization from harbor v2.0.

heww avatar Dec 10 '20 01:12 heww

This appears to be a regression, in v1.8.0 reading the response headers gives Bearer realm="https://<harbor_url>/service/token",service="harbor-registry",scope="registry:catalog:*" in v2.3.0 it gives Basic realm="harbor"

Could this have been caused by https://github.com/goharbor/harbor/issues/12192 ?

mthomson-pulse avatar Sep 06 '21 13:09 mthomson-pulse

This issue is being marked stale due to a period of inactivity. If this issue is still relevant, please comment or remove the stale label. Otherwise, this issue will close in 30 days.

github-actions[bot] avatar Jul 06 '22 09:07 github-actions[bot]

This issue was closed because it has been stalled for 30 days with no activity. If this issue is still relevant, please re-open a new issue.

github-actions[bot] avatar Aug 06 '22 09:08 github-actions[bot]

Just to note - this is still currently the practice (and this issue should be reopened and fixed when appropriate), and conflicts with virtually every other registry (and every tool used to access registries), which does allow for accessing it via a Bearer token (and which is specified in the Docker V2 spec, I believe).

What that means, practically, is that a tool like crane doesn't work for Harbor registries

❯ crane catalog <my-registry>
Error: reading repos for <my-registry>: GET http://<my-registry>/v2/_catalog?n=1000: UNAUTHORIZED: unauthorized to list catalog: unauthorized to list catalog

Whereas calling with user:auth does work:

❯ curl --silent --basic -u admin:Harbor12345 <my-registry>/v2/_catalog  | jq .repositories
[
<my repos>
]

This is annoying, and makes integrating Harbor into tools meant for container registries very difficult.

dfreilich avatar Oct 08 '22 18:10 dfreilich

Hitting this issue trying to integrate Lacework agent with Harbor. We use OIDC for user authentication so we need to use robot accounts for these kind of agents.

aitorpazos avatar Mar 09 '23 17:03 aitorpazos

@heww IMO, this should be reopened.

aitorpazos avatar Mar 09 '23 17:03 aitorpazos

Hi all,

We would like to keep tracking this requirement on https://github.com/goharbor/harbor/issues/20173

MinerYang avatar Apr 19 '24 10:04 MinerYang

Hi everybody,

Let me ask if anyone has resolved it yet.

Because currently I can't curl with tokens.

command: curl -H "Authorization: Bearer ${token2}" https://test.infinibad.local/v2/hehe/busybox/manifests/v1 -X GET

Result: HTTP/2 401 date: Thu, 29 Aug 2024 09:07:07 GMT content-type: application/json; charset=utf-8 content-length: 174 docker-distribution-api-version: registry/2.0 set-cookie: sid=e3f418848a4b2b52719a81772c6e2cd8; Path=/; HttpOnly www-authenticate: Basic realm="harbor"

tnubeo1111 avatar Aug 29 '24 09:08 tnubeo1111