Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CLI Secret Full Permissions Support #18834

Open
Tim-herbie opened this issue Jun 20, 2023 · 5 comments
Open

CLI Secret Full Permissions Support #18834

Tim-herbie opened this issue Jun 20, 2023 · 5 comments
Assignees
Labels
area/oidc kind/requirement New feature or idea on top of harbor

Comments

@Tim-herbie
Copy link

Tim-herbie commented Jun 20, 2023

Is your feature request related to a problem? Please describe.
I am running Harbor in Kubernetes and using an OIDC Provider for Authentication. I defined a OIDC Admin Group in the Authentication Configuration. My OIDC User is Member of the Admin Group but when I generate a cli secret, the secret do not have the same permissions as the admin user.

Describe the solution you'd like
My expectation would be that I my cli-secret have the same permissions like the admin user.

#18730
goharbor/terraform-provider-harbor#328

@stonezdj stonezdj added the kind/requirement New feature or idea on top of harbor label Jun 25, 2023
@stonezdj
Copy link
Contributor

It could be a limitation for OIDC auth.
Because the admin group feature requires the user's group information to grant admin permission when the user login.
When login with the cli, the auth middleware can't get the user's group information.

The original intention of the OIDC cli secret is used to call /v2/ API, not used to call /api/v2.0/ API

@reasonerjt
Copy link
Contributor

Hi,
I agree CLI secret is targeting cli but IMO it's very doable that the auth middleware gets the group information.
The CLI secret is bound to the id token, so when the cli secret is verified the middleware also verifies the id token and at that time we probably can get the groups' info that is encoded in the token.

@pidreher
Copy link

Imho it's also misleading, that harbor responds with a 401 unauthorized instead of 403 forbidden in those cases.

@Tim-herbie
Copy link
Author

Tim-herbie commented Jul 21, 2023

Is there a timeline when this topic will be fixed?

@grad-kushal
Copy link

Any updates here?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/oidc kind/requirement New feature or idea on top of harbor
Projects
None yet
Development

No branches or pull requests

6 participants