harbor
harbor copied to clipboard
goharbor
Using the robot account to call the vulnerability api.
We want to use the robot account to call the vulnerability api. So I created a system robot account with the following permission.
{
"level":"system",
"permissions": [
{
"kind":"system",
"namespace":"/",
"access":[
{
"resource":"*",
"action":"list"
}
]
}
]
}
But when I call the api(/projects/{project_name}/repositories/{repository_name}/artifacts/{reference}/additions/vulnerabilities) I get a FORBIDDEN error.
What permission do I need to give so that the error doesn't occur?
Please answer. :)
the RABC for this api
/projects/{project_name}/repositories/{repository_name}/artifacts/{reference}/additions/vulnerabilities
is here:
- https://github.com/goharbor/harbor/blob/v2.6.1/src/server/v2.0/handler/artifact.go#L398
It seems this API requires rbac.ActionRead, while the permissions.access of this robot account is "action":"list".
@zyyw hi. Thanks for the reply Because of your answer, I added a read action like below.
"permissions": [
{
"access": [
{
"action": "list",
"resource": "*"
},
{
"action": "read",
"resource": "*"
}
],
"kind": "system",
"namespace": "/"
}
]
But still getting forbidden error. Am I setting something wrong?
please refer to this to create the robot. https://github.com/goharbor/harbor/issues/14145#issuecomment-781006533
To fetch the cve scan results & additions over API (and with global system robot accounts) you should take a look at https://github.com/goharbor/harbor/blob/5cd5bcaee44e9f57c96ac8327009bcffb95ac7a5/src/common/rbac/const.go#L58 and https://github.com/goharbor/harbor/blob/v2.6.1/src/server/v2.0/handler/artifact.go#L398
Note: the required RBAC settings (snippet, see below) does not appear in the Harbor UI and can not be managed over the portal (version ?<=2.5.4). One of the options: use of harbor terraform provider, resource harbor_robot_account, kind : "project"., see https://github.com/goharbor/terraform-provider-harbor/blob/master/docs/resources/robot_account.md. Robot accounts with extended permissions on registry projects can then invoke Harbor API methods to fetch the list of vulnerabilities, see Harbor swagger.yml API spec and the method /projects/{project_name}/repositories/{repository_name}/artifacts/{reference}/additions/vulnerabilities
## kind: project, system robot permissions
access {
action = "read"
resource = "artifact-addition"
}
access {
action = "read"
resource = "artifact-label"
}
@wy65701436 The account has already been created by calling the robots post api. But when I look up vulnerabilities, I get a permission error
@mwhcp
access {
action = "read"
resource = "artifact-addition"
}
access {
action = "read"
resource = "artifact-label"
}
Are you saying you need a robot account with this permission? I think it is the same whether it is created with terraform or created with api, and an error occurs even when I give permission as below.
"level": "system",
"name": "r-sec-collector",
"permissions": [
{
"access": [
{
"action": "read",
"resource": "artifact-addition"
},
{
"action": "read",
"resource": "artifact-label"
}
],
"kind": "system",
"namespace": "/"
}
I can confirm that adding READ for artifact-addition works.
I had to use the API: robots/{robot_id} to update the robot account permissions.
This issue is being marked stale due to a period of inactivity. If this issue is still relevant, please comment or remove the stale label. Otherwise, this issue will close in 30 days.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
Hello all,
I'm having trouble with the robot account. Created in Harbor UI => covered all projects (read), permissions updated via API to export CVEs. Permissions see attached file: robot_permissions.txt
Got from python: requests.exceptions.HTTPError: 403 Client Error: Forbidden for url: https://fqdn-of-local-harbor/api/v2.0/export/cve
Does the robot still lack any authorization?
Regards, temirg. PS: Harbor v2.6.4
This issue is being marked stale due to a period of inactivity. If this issue is still relevant, please comment or remove the stale label. Otherwise, this issue will close in 30 days.
I can confirm that adding READ for
artifact-additionworks.I had to use the API:
robots/{robot_id}to update the robot account permissions.
This worked! Fetch the robot details with GET, then use the response json in PUT but with the added permission:
{ "resource": "artifact-addition", "action": "read" }
I have a robot created over API:
{
"disable": false,
"name": "cve-export",
"level": "system",
"duration": 0,
"description": "robot for cve export created over API",
"permissions": [
{
"access": [
{
"action": "*",
"resource": "*"
}
],
"kind": "system",
"namespace": "/"
},
{
"access": [
{
"action": "*",
"resource": "*"
}
],
"kind": "project",
"namespace": "proj1"
}
]
}
According to https://goharbor.io/blog/harbor-2.6/.
Lets imagine that id of proj1 is 123 and secret from cve-export is qwerty1234567:
curl -X POST 'https://harbor.domain/api/v2.0/export/cve' -H 'content-type: application/json' -H 'x-scan-data-type: application/vnd.security.vulnerability.report; version=1.1' --data-raw '{"projects":[123],"labels":[],"repositories":null,"tags":null,"cveIds":null}' -u 'cve-export:qwerty1234567'
and i got:
{"errors":[{"code":"FORBIDDEN","message":"forbidden"}]}
where i was wrong?
I found one way which was accepted by harbor is authorize over cookies from my browser instead of basic auth header (flag -u at curl), but is useless in my case.
I use Harbor Version v2.8.0-89ef156d.
harbor does not support * as a kind of resource or action, you have to specify it. @hardenchant
harbor does not support * as a kind of resource or action, you have to specify it. @hardenchant
Anyway, i tried specify a lot of combinations with permissions. I have harbor with oidc, and when i logged as admin user i can export cve csv at UI with cookie auth, but when i try to generate cve csv over api with user cli secret or robot token with system/project permissions – i got 403. Where i can find example set of permissions for cve export?
@wy65701436 it could be easy: Developers write step-by-step instructions with examples and screenshots on how to create and authorize a robot account for the CVE export. This guide becomes part of the Harbor documentation.
This means that future issues / inquiries are no longer necessary.
Best Regards, temirg.
Now I also ran into this issue - yeah its sub-optimal that there is no clear indication in swagger for the required permission nor is it usable that the permission for artifact-addition can't be set via UI
are there any restrictions so that "artifact-addition" can only be added to system level robot accounts and not to project level ?
This issue is being marked stale due to a period of inactivity. If this issue is still relevant, please comment or remove the stale label. Otherwise, this issue will close in 30 days.
The problem was resolved for me by adding the {"action":"read","resource":"artifact-addition"} permission to the robot account's permission list. But, is it possible to add this permission to the Harbor UI? Because it's a little hard to add or update the permission list through the API, and sometimes I don't know which permission needs to be added for a specific API call
We've already add artifact-addition in the harbor UI of robot creation in v2.10.0. Please try with it, and reopen if it is still exist.