Unable to replicate image to another Harbor instance with robot account

[mattdowdell]

Expected behavior and actual behavior:
I'd like to be able to replicate image from one Harbor instance used by my team to another managed by another team on a different continent. I attempted to do this via a robot account, reasoning that all I need is docker push/pull access and then discovered the user requires the ability to create projects. As robots don't get REST access, this obviously fails, but if the system is configured to only allow admins to create projects, then this requires you to use an administrator account to just replicate an image.

My project exists, so I don't really know why Harbor decides to perform a project create first. Looking at:

harbor/src/replication/adapter/harbor/base/adapter.go

Lines 171 to 181 in df1f52d

	for _, project := range projects {
	if err := a.Client.CreateProject(project.Name, project.Metadata); err != nil {
	if httpErr, ok := err.(*common_http.Error); ok && httpErr.Code == http.StatusConflict {
	log.Debugf("got 409 when trying to create project %s", project.Name)
	continue
	}
	return err
	}
	log.Debugf("project %s created", project.Name)
	}
	return nil

It looks like the project create is attempted regardless of it existing. I wouldn't object to a 403 being a warning in the logs if the project create failed because the push will inevitably fail down the line if the project is missing.

Steps to reproduce the problem:

• Configure one instance of harbor with permissions that limit project creation to admins.
• Create a project on said Harbor instance and create a robot within that with write access.
• Configure another harbor instance to replicate using the robot account.
• Trigger the replication and observe the failure.

Versions:
Please specify the versions of following systems.

• harbor version: 2.0.2 (issue appears to be present on master as well)
• docker engine version: 19.03.13
• docker-compose version: 1.26.2

Additional context:

• Harbor config files: N/A (not much of use in them for this)
• Log files: Not much in here, apart from:

Dec 17 14:34:25 172.18.0.1 core[15531]: 2020-12-17T14:34:25Z [ERROR] [/replication/operation/controller.go:108]: the execution 31550 failed: failed to do the prepare work for pushing/uploading resources: http error: code 403, mess
age {"errors":[{"code":"FORBIDDEN","message":"Only system admin can create project"}]}

Looks similar to #13268, so I wouldn't be surprised if the other adapters have a similar workflow that expects create permissions.

[ywk253100]

@mattdowdell The robot account cannot call REST API which means that the robot account cannot used to configure the replication rule.
cc @xaleeks maybe we can consider this use case

And for the project creation part, I think it is indeed an issue. We can check the existence first.

[mattdowdell]

The robot account cannot call REST API which means that the robot account cannot used to configure the replication rule.

I know, but it feels weird that Harbor supports a service account for managing images within a project and then doesn't let you use it for what is essentially an image push. I get that Harbor is trying to be helpful in creating the project, but I'm trying to minimise the access of my service accounts. Giving an account extra access for a one-off operation doesn't make a huge amount of sense to me. It's like giving something the ability to create and delete a git repo, when all it needs to do is tag a commit.

[xaleeks]

This has been delivered in v2.4

[olifur]

Hi there,

We just checked, an the problem is still there in v2.4+. We run v2.5.0-98e1b82f and if we set the
"Project Creation" option to "Everyone" it works that our robot account (with full permission) can replicate our registry whereas if we set it to "Admin only" it does not work, we get 403 Forbidden, only "system admin can create project". Setting it to "Everyone" is not an option for us in a enterprise environment.
Best, Oli