harbor icon indicating copy to clipboard operation
harbor copied to clipboard

Published 20 hours ago verified publisher icon goharbor

Robot account with permissions to pull across all and push project specific

Open theabrar opened this issue 10 months ago • 9 comments

I’m trying to create a system level robot account with permissions to

  • pull repository across all projects
  • push repository to project “my-project-name”

as mentioned in the harbor terraform provider documentation here, however, having the namespace = "*" seems to override other permissions and does not allow the push to the project.

Tried doing on the UI, and its the same: select a project on the Select Project Permissions tab on the edit Robot Account modal, add the Pull and Push permissions on the Repository resource come out and then select Cover all projects checkbox to give permissions to pull from across all projects, but the individual project permissions are overriden now.

How do we achieve this? appreciate the support here, thanks.

Harbor Version v2.10.1-b7b88476

theabrar avatar Mar 28 '24 17:03 theabrar

you can do it through the robot creation UI, check the pull permission for each project and the push permission of “my-project-name”.

Like: image

wy65701436 avatar Apr 01 '24 06:04 wy65701436

thanks @wy65701436 for the reply, I understand its achievable using the way you describe, however, trying to do it using the terraform provider (example in the documentation), as it'll be cumbersome with having multiple harbor deployments and projects with a robot account per project. If this is more related to terraform-provider-harbor happy to raise this as a bug there.

theabrar avatar Apr 08 '24 09:04 theabrar

@wy65701436 I re-open this ticket as I think it's not an issue with the provider but with the UI as with the API you can create a robot account with "Cover all project" rights AND specific projects rights :

[
  {
    "creation_time": "2024-04-15T14:32:14.849Z",
    "description": "System level Robot account for Project",
    "disable": false,
    "duration": -1,
    "editable": true,
    "expires_at": -1,
    "id": 1,
    "level": "system",
    "name": "robot$ci",
    "permissions": [
      {
        "access": [
          {
            "action": "pull",
            "effect": "allow",
            "resource": "repository"
          }
        ],
        "kind": "project",
        "namespace": "*"
      },
      {
        "access": [
          {
            "action": "pull",
            "effect": "allow",
            "resource": "repository"
          },
          {
            "action": "push",
            "effect": "allow",
            "resource": "repository"
          }
        ],
        "kind": "project",
        "namespace": "library"
      }
    ],
    "update_time": "2024-04-15T14:33:03.769Z"
  }
]

flbla avatar Apr 15 '24 14:04 flbla

This issue is being marked stale due to a period of inactivity. If this issue is still relevant, please comment or remove the stale label. Otherwise, this issue will close in 30 days.

github-actions[bot] avatar Jun 15 '24 09:06 github-actions[bot]

commenting to keep it active. cc: @flbla

theabrar avatar Jun 17 '24 09:06 theabrar

can you share the request when issuing the robot account?

wy65701436 avatar Aug 05 '24 05:08 wy65701436