harbor: Users must be Harbor admins to query docker registry catalog (v2/_catalog)

request

Allow a harbor user to query docker registry v2/_catalog endpoint without being a Harbor admin

issue

We want to integrate Harbor with external tools that benefit from the v2/_catalog API (such as Spinnaker ). Without the catalog endpoint, configuring these tools requires manually enumerating all images.

While Harbor supports the endpoint, testing has shown that a user must be a Harbor admin (not project admin) to access it. This is unfortunate as it requires us to promote these tool accounts.

About this issue

  • Original URL
  • State: closed
  • Created 5 years ago
  • Reactions: 22
  • Comments: 16 (1 by maintainers)

Most upvoted comments

just to add after a few more tests: I can confirm what supposed on the reply https://github.com/goharbor/harbor/issues/14145#issuecomment-825593691 of issue #14145. After configuring the system permissions to read the catalog the project permissions doesn’t work anymore. I get an access denied when trying to pull an image on a project where the robot account has all the grants. After editing the robot account removing the system/catalog read permission I am able to use the account to pull the same image from the same repository. It seems that the mixing of system and project ACLs breaks the project permissions evaluation. Really disappointing since the addition of the catalog read grant via the API was a really nice step forward in the integration of an external tool like VS Code, without the need to use an admin account.

+3
whysi on May 10, 2022

I have exactly the same problem described by @whysi using Harbor v2.5.3. It seems that “project” and “system” permissions does not work well together. 😭 Unfortunately this behavior cannot permit external tools integration that use Docker HTTP API v2. I described my use case here --> https://github.com/goharbor/harbor/issues/13653#issuecomment-1205438111

+2
texano00 on Aug 5, 2022

Hey everyone, I applied a simple workaround, and now my environment has full access to /v2/_catalog

  1. create a dedicated robot account only with catalog access
  2. spin up Nginx reverse proxy -> harbor-core with hardcoded Authorization "Basic cm9ib...
  3. point ingress /v2/_catalog to reverse proxy It works like a charm 🎉

Ingress block to reverse proxy

...
            path: /service/
            pathType: Prefix
          - backend:
              service:
                name: hardor-registry-fix
                port:
                  number: 80
            path: /v2/_catalog
            pathType: Prefix
          - backend:
              service:
                name: harbor-core
                port:
                  number: 80
            path: /v2/
            pathType: Prefix
          - backend:
...

Nginx configuration

server {
    listen       8080;
    listen  [::]:8080;
    server_name  localhost;

    location / {
        proxy_pass http://harbor-core;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Authorization "Basic cm9...";
    }
}

Part of nginx-catalog-deployment.yaml

    spec:
      containers:
        - image: nginx:1-alpine-slim
          name: nginx
          volumeMounts:
            - name: tmp
              mountPath: /tmp
            - name: config
              mountPath: /etc/nginx/conf.d
+1
ezh on Jan 6, 2023

Harbor(v2.4+) supports to use robot account to call catalog API but it’s not exposed in UI, so you have to create the robot with API.

{
   "name":"test",
   "duration":30,
   "description":"test",
   "disable":false,
   "level":"system",
   "permissions":[
      {
         "kind":"system",
         "namespace":"/",
         "access":[
            {
               "resource":"catalog",
               "action":"read"
            }
         ]
      }
   ]
}
+1
wy65701436 on Apr 14, 2022

Any updates?

We use Visual Studio Code docker extensions to access the remote harbor registry, it’s not safe to give everyone the admin access privilege just for listing the catalog

+1
yusiwen on Oct 11, 2020

Is there any update on this, We would like to integrate with Spinnaker. Also is it possible for project admin to query v2/_catalog which lists only the images/charts for his specific project.

+1
shashank-k on Nov 19, 2019

@coolpalani yes we have it working with some caveats…

  1. The user that spinnaker logs in as must be a Harbor admin
  2. Harbor configures chart museum to return relative URLs for charts. Currently, spinnaker assumes that the catalog has absolute URLs and will fail to parse it. Updating harbor to support use of absolute URLs is discussed in https://github.com/goharbor/harbor/issues/6572 and https://github.com/goharbor/harbor-helm/issues/149. Im not aware of a Spinnaker issue to support relative URLs.

Here is the command we use to add Harbor.

cat $HARBOR_PASSWORD | hal config artifact helm account add harbor --username "$HARBOR_USERNAME" \
  --repository "$HARBOR_ADDRESS/chartrepo/$HARBORREPOSITORY" \
  --password
+1
darend on Mar 6, 2019
Read more comments on GitHub
← harbor: use jib-maven-plugin push image to harbor success, also can pull image from harbor, but can not find image in harbor's web ui
harbor: Using buildkit exporting cache reporting status: 404 Not Found →