Can't use Docker Registry V2 HTTPS API w/ Harbor Registry.

[Clovel]

Issue

By trying to use the standard Docker Registry V2 HTTPS API with node-fetch & with cURL, I only get the UNAUTHORIZED error code.

Here is an example request :

curl -X GET -u user:password "https://ID.gra7.container-registry.ovh.net/v2/_catalog"

and the result

{"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":[{"Type":"registry","Class":"","Name":"catalog","Action":"*"}]}]}

The user and the password work to connect to the Harbor GUI & also work with docker login.

I cannot find any resources online about this issue. I need access to the following standard API requests :

• GET /_catalog
• GET /{repository}/tags/list
• HEAD /{repository}/manifests/{tag}
• DELETE /{repository}/manifests/{tag}

These requests work as intended with other standard Docker Registries. How can I use them with Harbor ?

Thanks for your help.

More results

• GET /_catalog

{
  "errors": [
    {
      "code":"UNAUTHORIZED",
      "message":"authentication required",
      "detail": [
        {
          "Type":"registry",
          "Class":"",
          "Name":"catalog",
          "Action":"*"
        }
      ]
    }
  ]
}

• GET /{repository}/tags/list

{
  "errors": [
    {
      "code":"UNAUTHORIZED",
      "message":"authentication required",
      "detail": [
        {
          "Type":"repository",
          "Class":"",
          "Name":"<subdir>/<reponame>",
          "Action":"pull"
        }
      ]
    }
  ]
}

• HEAD /{repository}/manifests/{tag}

HTTP/2 401
date: Tue, 01 Dec 2020 11:01:46 GMT
content-type: application/json; charset=utf-8
content-length: 168
docker-distribution-api-version: registry/2.0
www-authenticate: Bearer realm="https://ID.gra7.container-registry.ovh.net/service/token",service="harbor-registry",scope="repository:<subdir>/<reponame>:pull"
x-content-type-options: nosniff
strict-transport-security: max-age=15724800; includeSubDomains
x-ovh-ingress: public-ingress

• DELETE /{repository}/manifests/{tag}

{
  "errors": [
    {
      "code":"UNAUTHORIZED",
      "message":"authentication required",
      "detail": [
        {
          "Type":"repository",
          "Class":"",
          "Name":"<subdir>/<reponame>",
          "Action":"delete"
        }
      ]
    }
  ]
}

[kofj]

@Clovel Hi,Clovel. Read document https://docs.docker.com/registry/spec/auth/token/ first pls.

If you want access the standard v2 APIs, you need retrive Bearer token from ${YOUR_HARBOR_DOMAIN}/service/token first. And then, add the Bearer token to your request's header.

[Clovel]

Thanks for the answer @kofj.

How come I can access other registries with Basic Auth but not Harbor's Docker registry ?

Also, I can't seem to get the Bearer Token :

$ curl -X GET -u user:password "https://ID.gra7.container-registry.ovh.net/service/token"
Unable to handle service:

This looks like something our sys admin should activate. Any clues ?

[kofj]

1. What's your harbro version?

2. If your harbor instance is new version and standard, you can use basic auth to access v2 API with baisc auth. e.g.

curl -v --basic -u admin:Harbor12345 ${YOUR_HARBOR_DOMAIN}/v2/_catalog

[wy65701436]

@Clovel for the v2 api access, harbor supports both basci auth and bearer token.

For the basic, did you try the @kofj 's comments. For the bearer token, you can just follow the docker reigstry document.

[Clovel]

Version

1. What's your harbro version?

Version v1.10.0-6b84b62f

Basic Auth

2. If your harbor instance is new version and standard, you can use basic auth to access v2 API with baisc auth. e.g.

curl -v --basic -u admin:Harbor12345 ${YOUR_HARBOR_DOMAIN}/v2/_catalog

This simply doesn't work, and results in

$ curl -v -X GET --basic -u <username>:<password> "https://<ID>.gra7.container-registry.ovh.net/v2/_catalog"
Note: Unnecessary use of -X or --request, GET is already inferred.
*   Trying <IP_ADDR>:443...
* TCP_NODELAY set
* Connected to <ID>.gra7.container-registry.ovh.net (<IP_ADDR>) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=*.gra7.container-registry.ovh.net
*  start date: Nov 12 00:00:00 2020 GMT
*  expire date: Nov 12 23:59:59 2021 GMT
*  subjectAltName: host "<ID>.gra7.container-registry.ovh.net" matched cert\'s "*.gra7.container-registry.ovh.net"
*  issuer: C=GB; ST=Greater Manchester; L=Salford; O=Sectigo Limited; CN=Sectigo RSA Domain Validation Secure Server CA
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Server auth using Basic with user '<username>'
* Using Stream ID: 1 (easy handle <?????>)
> GET /v2/_catalog HTTP/2
> Host: <ID>.gra7.container-registry.ovh.net
> authorization: Basic <B64_AUTH>
> user-agent: curl/7.68.0
> accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
< HTTP/2 401
< date: Mon, 07 Dec 2020 11:04:13 GMT
< content-type: application/json; charset=utf-8
< content-length: 145
< docker-distribution-api-version: registry/2.0
< www-authenticate: Bearer realm="https://<ID>.gra7.container-registry.ovh.net/service/token",service="harbor-registry",scope="registry:catalog:*"
< x-content-type-options: nosniff
< strict-transport-security: max-age=15724800; includeSubDomains
< x-ovh-ingress: public-ingress
<
{"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":[{"Type":"registry","Class":"","Name":"catalog","Action":"*"}]}]}
* Connection #0 to host <ID>.gra7.container-registry.ovh.net left intact

It seems that Harbor is falling back to the Bearer token method and doesn't accept basic auth.

[Clovel]

Bumping the issue. Any ideas ?

[Lanyujiex]

hi,I met a same question,have you solve it now?

[Clovel]

hi,I met a same question,have you solve it now?

I'm sorry @Lanyujiex, I haven't. I switched from the OVH Docker registry provider to a self-hosted registry.

[IsaackRasmussen]

This is fixed in version 2.2.1 - I've just confirmed it.

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[bmerry]

It seems anonymous access still doesn't work without providing some authentication on the latest version (v2.3.3-a0a9ed8a). If I create a public image, then try to fetch a manifest, I get

{"errors":[{"code":"UNAUTHORIZED","message":"authorize header needed to send HEAD to repository: authorize header needed to send HEAD to repository"}]}

However, if I use basic auth with some random username and password (not corresponding to an actual user) then it is successful.

[sify21]

@Clovel for the v2 api access, harbor supports both basci auth and bearer token.

For the basic, did you try the @kofj 's comments. For the bearer token, you can just follow the docker reigstry document.

Hi @wy65701436 I'm using Harbor v1.8.2-1c3a3d53 (sadly I don't have admin privileges and can't update it to a newer version), I tried to use bearer token. I can get a token using informations from Www-Authentication header, but using that token still gets me insufficient_scope error. Do you know how to get around it?

[root@dev /]#curl --request GET \
>   --url 'http://{harbor ip and port}/service/token?service=harbor-registry&scope=registry%3Acatalog%3A*'
{
  "token": "the token string",
  "expires_in": 1800,
  "issued_at": "2022-03-22T10:55:05Z"
}[root@dev  /]#curl --request GET \
>   --url http://{harbor ip and port}/v2/_catalog \
>   --header 'Authorization: Bearer {the token string}' -v
* About to connect() to {ip} port {port} (#0)
*   Trying {ip}...
* Connected to {ip} ({ip}) port {port} (#0)
> GET /v2/_catalog HTTP/1.1
> User-Agent: curl/7.29.0
> Host: {ip}:{port}
> Accept: */*
> Authorization: Bearer {token}
> 
< HTTP/1.1 401 Unauthorized
< Server: nginx
< Date: Tue, 22 Mar 2022 10:58:32 GMT
< Content-Type: application/json; charset=utf-8
< Content-Length: 145
< Connection: keep-alive
< Docker-Distribution-Api-Version: registry/2.0
< Set-Cookie: sid=cbc98d48e4aff437dac8165d0475aae4; Path=/; HttpOnly
< Www-Authenticate: Bearer realm="http://{harbor ip and port}/service/token",service="harbor-registry",scope="registry:catalog:*",error="insufficient_scope"
< 
{"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":[{"Type":"registry","Class":"","Name":"catalog","Action":"*"}]}]}
* Connection #0 to host {ip} left intact

[github-actions[bot]]

This issue is being marked stale due to a period of inactivity. If this issue is still relevant, please comment or remove the stale label. Otherwise, this issue will close in 30 days.

[bmerry]

I've retested with 2.5.3 and it still doesn't allow anonymously fetching the manifest for a public image (while succeeding when made-up Basic auth credentials are given).

[texano00]

Hi, using Harbor v2.5.3, I created a system robot account using below API

POST {harbor-host}/api/v2.0/robots
{
   "name":"lorem",
   "duration":-1,
   "description":"",
   "disable":false,
   "level":"system",
   "permissions":[
      {
         "access": [
         {
            "action": "push",
            "resource": "repository"
         },
         {
            "action": "delete",
            "resource": "repository"
         },
         {
            "action": "read",
            "resource": "artifact"
         },
         {
            "action": "list",
            "resource": "artifact"
         },
         {
            "action": "delete",
            "resource": "artifact"
         },
         {
            "action": "create",
            "resource": "artifact-label"
         },
         {
            "action": "delete",
            "resource": "artifact-label"
         },
         {
            "action": "list",
            "resource": "repository"
         },
         {
            "action": "create",
            "resource": "tag"
         },
         {
            "action": "delete",
            "resource": "tag"
         },
         {
            "action": "list",
            "resource": "tag"
         },
         {
            "action": "create",
            "resource": "scan"
         },
         {
            "action": "stop",
            "resource": "scan"
         },
         {
            "action": "read",
            "resource": "helm-chart"
         },
         {
            "action": "create",
            "resource": "helm-chart-version"
         },
         {
            "action": "delete",
            "resource": "helm-chart-version"
         },
         {
            "action": "create",
            "resource": "helm-chart-version-label"
         },
         {
            "action": "delete",
            "resource": "helm-chart-version-label"
         },
         {
            "action": "pull",
            "resource": "repository"
         }
         ],
         "kind": "project",
         "namespace": "*"
      },
      {
         "kind":"system",
         "namespace":"/",
         "access":[
            {
               "resource":"catalog",
               "action":"read"
            }
         ]
      }
   ]
}

With this robot I was able to call "GET {harbor-host}/v2/_catalog" successfully BUT trying to call "GET {harbor-host}/v2/{project}/{repo}/tags/list" I'm receiving

Get "{harbor-host}/v2/{project}/{repo}/tags/list": http: non-successful response (status=401 body="{"errors":[{"code":"UNAUTHORIZED","message":"unauthorized to access repository: {project}/{repo}, action: pull: unauthorized to access repository: {project}/{repo}, action: pull"}]}\n")

I think this "if" https://github.com/goharbor/harbor/blob/v2.5.3/src/server/middleware/v2auth/auth.go#L76 is returning "false" for some reason (unknown to me).

[github-actions[bot]]

This issue is being marked stale due to a period of inactivity. If this issue is still relevant, please comment or remove the stale label. Otherwise, this issue will close in 30 days.

[github-actions[bot]]

This issue was closed because it has been stalled for 30 days with no activity. If this issue is still relevant, please re-open a new issue.

[embroede]

I've retested with 2.5.3 and it still doesn't allow anonymously fetching the manifest for a public image (while succeeding when made-up Basic auth credentials are given).

I am also seeing this behavior. Is this seen as a non-issue by the maintainers?

[ifofafk]

i just had the same problem. the Harbor version is "v2.8.0-89ef156d"

I have correct Harbor account and password, correct default-Registry account in "/opt/harbor/common/config/core/env". How can I use Registry api just with account? For I'm trying docker-java.jar to do sth....

[jpinkul]

I think this "if" https://github.com/goharbor/harbor/blob/v2.5.3/src/server/middleware/v2auth/auth.go#L76 is returning "false" for some reason (unknown to me).

I found this else if was dropping the permissions:

			if len(sysPolicies) != 0 {
				evaluators = evaluators.Add(system.NewEvaluator(s.GetUsername(), sysPolicies))
			} else if len(proPolicies) != 0 {
				evaluators = evaluators.Add(rbac_project.NewEvaluator(s.ctl, rbac_project.NewBuilderForPolicies(s.GetUsername(), proPolicies)))
			}

I tried changing the else if to just an if and was successfully able to add both project level and system level permissions to the same robot account.