System level robot is unable to access /statistics API

goharbor / harbor

An open source trusted cloud native registry project that stores, signs, and scans content.

https://goharbor.io

Apache License 2.0

23.98k stars 4.75k forks source link

System level robot is unable to access /statistics API #15624

Open okin opened 3 years ago

okin commented 3 years ago

As a system admin I want to use robot accounts to access the harbor API in order to retrieve data for our monitoring systems.

While I am able to create a system level robot account with permissions to all ressources it can not access the /statistics API endpoint. When I try to access the route I am getting an unauthorized error.

Other endpoints, for example /health, are working with the same set of credentials. I am able to access the mentioned routes when using my personal account. That account has administrator privileges.

JSON payload for my robot creation looks like this:

{
    "secret": "<put your secret here>",
    "disable": false,
    "name": "monitoring",
    "level": "system",
    "duration": -1,
    "description": "Robot used for monitoring.",
    "permissions":
    [
        {
            "access":
            [
                {
                    "resource": "*",
                    "action": "read"
                }
            ],
            "kind": "system",
            "namespace": "/"
        }
    ]
}

The harbor version in use is 2.3.0.

bitsf commented 3 years ago

/health doesn't need auth. You can check other if other API works.

bitsf commented 3 years ago

confirm with @wy65701436 , robot account doesn't support call /statistics now

wy65701436 commented 3 years ago

So far, by design, robot account cannot support get statistics as it's not a kind of resource in Harbor. The access mode of robot is resource based.

okin commented 3 years ago

@bitsf thanks for the hints about unnecessary authentication. I will update the swagger config so others are made aware of it.

@wy65701436 I see. My search for resources did not yield anything for statistics so I assumed that having access to all ressources might allow this. It would be great to have the possibility tho.

schneif2 commented 2 years ago

Yes i have tried the same. I tried to use an robot account (or something like a read-only user) to receive information for monitoring system (and a bit of statistics). With admin credentials everything works fine, but when i use robot account some information are missing.

It would be helpful when there is an option to create an read only admin account or set up a system wirde robot account with some read-only monitoring privileges.

Here my usage:

/api/v2.0/health (ok)

Overall System Status

/api/v2.0/systeminfo (ok)

Read Only Mode

/api/v2.0/systeminfo/volumes (works only with admin credentials)

Free Space

/api/v2.0/statistics (works also only with admin credentials and partly with robot account)

Private Project Count
Private Repo Count
Public Project Count
Public Repo Count
Total Project count
Total Repo Count
Total Storage Consumption

Statistics told me with Robot Account 3 public projects but 0 total projects. The "all projects setting" allow robot account to see all private projects, but will not be shown in statistics.

Harbor Version v.2.4.0 Robot Account generated in system, with all projects and for test purposes all privileges.

github-actions[bot] commented 2 years ago

This issue is being marked stale due to a period of inactivity. If this issue is still relevant, please comment or remove the stale label. Otherwise, this issue will close in 30 days.