search

goharbor / harbor

An open source trusted cloud native registry project that stores, signs, and scans content.
https://goharbor.io
Apache License 2.0
23.93k stars 4.74k forks source link

Developer Role unable to retag images via UI #21042

Open fletch3555 opened 3 days ago

fletch3555 commented 3 days ago

If you are reporting a problem, please make sure the following information are provided:

Expected behavior and actual behavior: We have users with the Developer role.

Working within the Harbor UI, they are able to manually assign new tags to images, however, they are unable to assign existing tags to images. image image

To clarify, if a separate image hash is already tagged "abcd", they will be unable to "Add Tag" with the name "abcd".

Doing this through the docker CLI works correctly (and assuming your docker CLI is authenticated to Harbor with a user assigned the "Developer" role)

# Setup
docker pull busybox:1.36
docker tag busybox:1.36 harbor.example.com/myproject/busybox:1.36
docker push harbor.example.com/myproject/busybox:1.36
docker pull busybox:1.37
docker tag busybox:1.37 harbor.example.com/myproject/busybox:1.37
docker push harbor.example.com/myproject/busybox:1.37

# Apply custom tag to 1.36
docker tag harbor.example.com/myproject/busybox:1.36 harbor.example.com/myproject/busybox:abcd
docker push harbor.example.com/myproject/busybox:abcd
# The Harbor UI now shows 2 images, with one tagged 1.36 and abcd and the other tagged 1.37

# Retag "abcd" to 1.37
docker tag harbor.example.com/myproject/busybox:1.37 harbor.example.com/myproject/busybox:abcd
docker push harbor.example.com/myproject/busybox:abcd
# The Harbor UI still shows 2 images, with one tagged 1.36 and the other tagged 1.37 and abcd

Steps to reproduce the problem:

  1. Open project in Harbor UI containing 2 images, one with existing tag, and one you want to tag. For example: image
  2. Click on image hash that you want to tag (sha256:4c3d11be in above screenshot)
  3. Click "Add Tag" button, type existing image name into "Name" field, then click "OK" button image
  4. Observe error: image

Versions: Please specify the versions of following systems.

Additional context:

(I don't believe these are relevant to my report, but I can provide them if requested)

fletch3555 commented 3 days ago

I just found this issue #20382, which appears to be the same issue, just via API rather than the web UI. Appears there are others with similar complaints.

For what it's worth, the retag permission is granted to all users in the Guest role or higher (including Developer) according to the docs, so I would expect it to work via the UI (and API) as well. Developer role does not have access to delete tags, so doing it as a 2-step process is not possible. I don't think granting everyone Maintainer or Admin access is a valid path forward, nor is it clear in the docs that this would even resolve this use-case.

If desired, we could add a warning prompt about the tag already existing. At the very least, the docs should be updated to clarify this access is only granted via Docker CLI. Though again, I believe this should be allowed within the Harbor API/UI.