Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

harbor to harbor replication does not work with robot accounts #14982

Closed
phin1x opened this issue May 26, 2021 · 3 comments
Closed

harbor to harbor replication does not work with robot accounts #14982

phin1x opened this issue May 26, 2021 · 3 comments
Assignees
@wy65701436
Labels
area/replication area/robot-account kind/bug

Comments

@phin1x
Copy link
Contributor

phin1x commented May 26, 2021
edited
Loading

If you are reporting a problem, please make sure the following information are provided:

Expected behavior and actual behavior:
We have four harbor instances and replicate images between them. bevor version 2.2, we used the docker provider which works fine for push only scenarios but we also want to use the "delete on remote" feature from the event based trigger.
after we migrated all of our harbor instances to v2.2 we switched to harbor provider. the test in the ui passed and we startet one of the replication jobs but it failed with the message:

Screenshot 2021-05-26 075257

When we allowed that everyone can create projects, the replication succeeded without any errors.

We found that the harbor provider always want to create the project it should replicate to:

v2.2.2:
https://github.com/goharbor/harbor/blob/v2.2.2/src/replication/adapter/harbor/base/adapter.go#L171

master:
https://github.com/goharbor/harbor/blob/master/src/pkg/reg/adapter/harbor/base/adapter.go#L171

This is a bad behavior. In our case only sysadmins can create projects and since you cannot combine system and project level permissions in a robot account, we cannot use robot accounts for replication and using the admin account is not an option.

By default harbor should not try to create projects on the remote side or should check first, if the user is allowed to.

Steps to reproduce the problem:

  1. Setup two Harbor instances
  2. Create a project in harbor 1 and a system robot account with full permissions on the project
  3. Create harbor 1 as a registry with the harbor provider in harbor 2
  4. Create a replication rule with the previously created project as a target in harbor 2

the replication should fail.

Versions:
Please specify the versions of following systems.

  • harbor version: 2.2.1
  • docker engine version: 19.03.15
  • docker-compose version: 1.25.1

Additional context:

  • Harbor config files: You can get them by packaging harbor.yml and files in the same directory, including subdirectory.
  • Log files: You can get them by package the /var/log/harbor/ .
@phin1x
Copy link
Contributor Author

phin1x commented May 26, 2021

we patched out the for loop mentioned above and the replication succeeded.

@phin1x phin1x mentioned this issue Aug 8, 2021
Closed
@Wykiki
Copy link

Wykiki commented Aug 30, 2021

Hello, we encounter the exact same problem, looks like it will be fixed in 2.4 ?

@wy65701436
Copy link
Contributor

yes, it will be in v2.4, and already in the main branch now. Close it as fixed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@wy65701436 wy65701436

Labels
area/replication area/robot-account kind/bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@wy65701436 @steven-zou @Wykiki @phin1x