Harbor OIDC Admin Group Permission Problem

[Tim-herbie]

Describe the bug
I am trying to migrate the configuration for the existing harbor enviroment to terraform. By this, I found out, that the defined OIDC Admin Group has not the same permissions like the local admin user by using terraform.

With my OIDC User which is in the Admin Group, I can create anything in the harbor application (GUI). I can also use terraform import for projects, that is working.

But I can´t e.q. use terraform import to import retention policies.

There I get the following error:

terraform import 'module.projects.harbor_retention_policy.standard_retention_policies["ap"]' '/retentions/39'                                                    

module.projects.harbor_retention_policy.standard_retention_policies["ap"]: Importing from ID "/retentions/39"...
module.projects.harbor_retention_policy.standard_retention_policies["ap"]: Import prepared!
  Prepared harbor_retention_policy for import
module.projects.harbor_retention_policy.standard_retention_policies["ap"]: Refreshing state... [id=/retentions/39]
╷
│ Error: [ERROR] unexpected status code got: 401 expected: 200
│  {"errors":[{"code":"UNAUTHORIZED","message":"unauthorized"}]}
│
│
│

To Reproduce
Steps to reproduce the behavior

Expected behavior

terraform import 'module.projects.harbor_retention_policy.standard_retention_policies["ap"]' '/retentions/39'                                                                              

module.projects.harbor_retention_policy.standard_retention_policies["ap"]: Importing from ID "/retentions/39"...
module.projects.harbor_retention_policy.standard_retention_policies["ap"]: Import prepared!
  Prepared harbor_retention_policy for import
module.projects.harbor_retention_policy.standard_retention_policies["ap"]: Refreshing state... [id=/retentions/39]

Import successful!

The resources that were imported are shown above. These resources are now in
your Terraform state and will henceforth be managed by Terraform.

Additional context
Add any other context about the problem here.

Provider Version: 3.8.4
Terraform Version: 1.4.3-dev
Harbor Version: v2.8.0-89ef156d

[flbla]

hi,
can you try to do a GET to the retention API ?
something like curl -X GET https://HARBOR/api/v2.0/retentions/39 with your OIDC Account

[Tim-herbie]

Yeah, sure.

Via Curl, I get the same error: {"errors":[{"code":"UNAUTHORIZED","message":"unauthorized"}]}
When I try to paste this in my browser (Request URL), I got the right response.

Maybe I did a mistake by authentication? I used the CLI Secret from my user profile in harbor for the terraform harbor api and put the CLI Secret also in the the "Authorize" field in the swagger API Page. But I don´t know what secret I should use else for the authentication here.

[flbla]

I think the CLI secret don't allow such API call.
You probably need to generate an access token.
@Vad1mo ?

[Vad1mo]

hmm @Tim-herbie, did you try it with the admin user, to crosscheck the situation?

Normally, If your user is in the admin group, then the user should have the same permissions as the build in admin user.

[Tim-herbie]

@Vad1mo Yeah, so far as I could. The way I can test it is not exactly the same

Like I described above, I used the username and the cli secret from the oidc admin user in the swagger api. Here it does not worked.

When I test it with the local admin user, I don´t get a cli secret. So I used the username and password from the admin user. That worked, I got a valid response here.

[flbla]

if you want to use your OIDC user I think you need to get an access token from your OIDC provider.
otherwise, you can maybe try to create a robot account with system access : goharbor/harbor#14145 (comment)

[Tim-herbie]

I create a robot account with terraform with the same parametes like in your linked example.

resource "harbor_robot_account" "system" {
  name        = "admin"
  description = "system level robot account"
  level       = "system"
  secret      = "myReallysecretPassword1!"
  permissions {
    access {
      action   = "create"
      resource = "project"
    }
    kind      = "system"
    namespace = "/"
  }
}

Here is also the GET response via API:
{"creation_time":"2023-05-22T09:15:10.658Z","description":"system level robot account","disable":false,"duration":-1,"editable":true,"expires_at":-1,"id":32656,"level":"system","name":"robot$admin","permissions":[{"access":[{"action":"create","effect":"allow","resource":"project"}],"kind":"system","namespace":"/"}],"update_time":"2023-05-22T09:15:10.989Z"}

But when I change the harbor terraform provider credentials to robot$admin" and myReallysecretPassword1!, it´s not working.

[flbla]

indeed, I just try it, with :

resource "harbor_robot_account" "system" {
  name        = "admin"
  description = "system level robot account"
  level       = "system"
  secret      = "myReallysecretPassword1!"
  permissions {
    access {
      action   = "*"
      resource = "*"
    }
    kind      = "system"
    namespace = "/"
  }
  permissions {
    access {
      action   = "*"
      resource = "*"
    }
    kind      = "project"
    namespace = "*"
  }
}

it looks like the full api is not accessible with robot accounts : goharbor/harbor#8723

I think you currently have 2 solutions : use the admin local account or generate an access token from your OIDC provider

[rgarcia89]

@flbla I do not understand how the OIDC token should help in that case? Isn't the CLI secret of a OIDC user not validated against defined permissions within harbor?

[flbla]

because, as far as I understand, the cli secret, doesn't allow all actions in the Harbor API (no matter if you are admin) valid endpoints
with an OIDC token you should have the same permissions.

furthermore, with the curl -X GET https://HARBOR/api/v2.0/retentions/39 @Tim-herbie got the same UNAUTHORIZED error, so doesn't seem to be a bug in the provider but a lack of permissions with the CLI secret.
could you please open an issue to the harbor project and link it with this issue ? thank you

[rgarcia89]

We will. Thanks for the clarification.

@Tim-herbie