harbor
harbor copied to clipboard
goharbor
Enable external security scanners to access the /v2/_catalog endpoints
Is your feature request related to a problem? Please describe.
Even though system-level robot accounts are great they are still pretty limited to integrate some of the external enterprise scanners that may require permissions to inspect the content of the whole registry like Aqua Enterprise scanner.
In the following example I have created the robot$aqua-enterprise-scanner system robot account and granted it all permissions:
However, when I use such credentials with Aqua Enterprise scanner it is not authorized to browse the catalog. Browsing the catalog and letting user to choose images to scan is one of the core functionalities provided by Aqua.
Note This is a different use case to scans triggered from the Harbor UI where we use temporary robot account credentials created by Harbor and passed to the Harbor Scanner for Aqua Enterprise.
Describe the solution you'd like
To implement the least privileged principle when integrating Aqua with Harbor we should not use Harbor admin with excessive permissions. Instead we should use system level robot account with permission to browse the catalog.
Describe the main design/architecture of your solution
TBD
Describe the development plan you've considered
TBD
Additional context
This somehow circles back to my unanswered comment on https://github.com/goharbor/community/pull/148#discussion_r517947418
@danielpacak is this break your function?
It works as long as we use Harbor admin credentials. What I described is not a bug but rather enhancement to implement least privileged principle when integrating Harbor with Aqua or similar tools.
We have the exact same issue using Prisma Cloud (By Palo Alto Networks).
We have to use the Harbor admin account so that Prisma can successfully scan all images in all repos when it re-scans, which makes no sense. We also tried using a robot account, exactly to have the least privileged principle but it did not work.
We are also having this issue with aqua and a regular user account. having admin should not be required
This issue is being marked stale due to a period of inactivity. If this issue is still relevant, please comment or remove the stale label. Otherwise, this issue will close in 30 days.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
Any movement on this? Requiring an Admin account to re-scan doesn't make sense. Could you help us understand if this is just something that has been missed or if there's a separate security concern?
@neothematrix @SamStenton have you tried this https://github.com/goharbor/harbor/issues/6784#issuecomment-1098772623 to give the v2/_catalog permission when to create an robot?
I can call /v2/_catalog in the following way.
- Create system level robot account
curl -k -u '<admin_name>:<admin_password>' -X 'POST' \
'https://<domain>/api/v2.0/robots' \
-H 'accept: application/json' \
-H 'Content-Type: application/json' \
-d '{
"name": "<robot_name>",
"duration": 30,
"description": "test",
"disable": false,
"level": "system",
"permissions": [
{
"kind": "system",
"namespace": "/",
"access": [
{
"resource": "catalog",
"action": "read"
}
]
}
]
}'
- Call catalog API
curl -k -u '<robot_name>:<robot_password>' -X 'GET' 'https://<domain>/v2/_catalog'
since it supports the robot v2 to call the catalog API as mentioned above, close it as fixed.
@wy65701436 Apply permission with catalog.read cannot pull image repository.
"permissions": [
{
"access": [
{
"action": "pull",
"resource": "repository"
}
],
"kind": "project",
"namespace": "*"
},
{
"access": [
{
"action": "read",
"resource": "catalog"
}
],
"kind": "system",
"namespace": "/"
}
]
docker pull <container_image>
error pulling image configuration: download failed after attempts=1: unauthorized: unauthorized to access repository: <container_image>, action: pull: unauthorized to access repository: <container_image>, action: pull
