wy65701436
commented
3 months ago it seems that the podman search will call the catalog api, which needs the system admin permission, please try with the admin account.
Open olistu opened 3 months ago
wy65701436
commented
3 months ago it seems that the podman search will call the catalog api, which needs the system admin permission, please try with the admin account.
olistu
commented
3 months ago it seems that the podman search will call the catalog api, which needs the system admin permission, please try with the admin account.
The problem was the same with login admin user
MinerYang
commented
3 months ago https://github.com/goharbor/harbor/issues/13573
seems podman search would use a bearer token to call v2/_catalog API
podman search --log-level=debug --tls-verify=false xxx.xxx.xxx/library/hello-world:latest
DEBU[0000] GET https://xxx.xxx.xxx/service/token?account=admin&service=harbor-registry
DEBU[0000] GET https://xxx.xxx.xxx/v2/_catalog
ERRO[0000] error getting search results from v2 endpoint "xxx.xxx.xxx": unable to retrieve auth token: invalid username/password: unauthorized: unauthorized to list catalog: unauthorized to list catalog
Error: 1 error occurred:
* couldn't search registry "xxx.xxx.xxx": unable to retrieve auth token: invalid username/password: unauthorized: unauthorized to list catalog: unauthorized to list catalogHowever , it is worth mentioned podman seems send partially request of service token to list catalog
GET https://xxx.xxx.xxx/service/token?service=harbor-registry&scope=registry:catalog:*Hi @olistu ,
We don't support catalog listing with bearer token same as docker hub. Instead we prefer client tools use basic auth to call v2/catalog API if possible since it is only available for system admin to list all the repositories.
However, we would like to collect and discuss the necessity within the community whether to adopt clients functions like podman search or crane catalog etc . .
Related issues:
mi-fabien-cayre
commented
1 month ago Hi,
Neuvector is a security tool used in Rancher Kubernetes distribution, to scan containers vulnerability. In order to increase its knowledge, it requires to plug to an image registry. It uses the v2/_catalog endpoint, and by doing so, it receives a 401 Unauthorized when targeting Harbor. We could use an admin account, but I don't think that's a reliable solution.
It could be interesting to have a permission on robots accout, to let them access the v2/_catalog endpoint
I've set the registry type to "Docker Registry", I didn't test with other types of registries.
The connectivity tests logs:
[
{
"step_content": "Test registry connection",
"step_type": "stage"
},
{
"step_content": "GET https://<HARBOR_URL>/v2/",
"step_type": "url"
},
{
"step_content": "{}",
"step_type": "response"
},
{
"step_content": "Get all images",
"step_type": "stage"
},
{
"step_content": "Get registry repository list",
"step_type": "stage"
},
{
"step_content": "GET https://<HARBOR_URL>/v2/_catalog",
"step_type": "url"
},
{
"step_content": "Get \"https://<HARBOR_URL>/v2/_catalog\": http: non-successful response (status=401 body=\"{\\\"errors\\\":[{\\\"code\\\":\\\"UNAUTHORIZED\\\",\\\"message\\\":\\\"unauthorized to list catalog: unauthorized to list catalog\\\"}]}\\n\")",
"step_type": "error"
},
{
"step_content": "",
"step_type": "images"
},
{
"step_content": "Discovered 0 images",
"step_type": "stage"
}
]Hi,
Neuvector is a security tool used in Rancher Kubernetes distribution, to scan containers vulnerability. In order to increase its knowledge, it requires to plug to an image registry. It uses the
v2/_catalogendpoint, and by doing so, it receives a 401 Unauthorized when targeting Harbor. We could use an admin account, but I don't think that's a reliable solution.```
Hi @mi-fabien-cayre , When you were using admin account to call v2/_catalog, is it using basic auth (username:password) instead of service token ?
mi-fabien-cayre
commented
1 month ago Hi @MinerYang ,
Did some tcpdump on our harbor server, it uses Authorisation: Basic
MinerYang
commented
1 month ago Hi @mi-fabien-cayre ,
mi-fabien-cayre
commented
1 month ago Neuvector is using basic auth username:password to access the v2/_catalog endpoint.
The robot account has all permissions (19) on Harbor Version v2.7.4-8693b25a.
Might upgrade harbor to the latest version and comeback to discuss here about the issue, because I don't see any option to make an "admin" robot account. Might aswell open an issue to include harbor registry in Neuvector's repo.
Thanks for your help and have a great day !
MinerYang
commented
1 month ago
Hi,
I have create and build an image on the Harbor server. Then this image is push to the Harbor repository with success.
But now if I want to search my image, the search command does not display it.
with Docker :
docker search flutter
no images from my repository
with Podman : $ podman search --tls-verify=false flutter ERRO[0000] error getting search results from v2 endpoint "svx-lab-03m.unifr.ch": unauthorized: unauthorized to list catalog: unauthorized to list catalog NAME DESCRIPTION
I need help to resolve this problem.
Regards Olivier