fix(scan): assign repository pull access policy to robot account when scan artifact (#11109)

The v2auth middleware will check whether the requestor  has the pull or
push permissions for the repository, and forbid the request when the
requestor does not have the permission.  We need to assign repository
pulling permission to the robot account for the scanner, otherwise
scanner will be failed to pull the artifact.

Signed-off-by: He Weiwei <hweiwei@vmware.com>
This commit is contained in:
He Weiwei 2020-03-17 19:30:21 +08:00 committed by GitHub
parent f8983fe198
commit e3c5c37668
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 9 additions and 7 deletions

View File

@ -523,7 +523,10 @@ func (bc *basicController) makeRobotAccount(projectID int64, repository string)
Name: UUID, Name: UUID,
Description: "for scan", Description: "for scan",
ProjectID: projectID, ProjectID: projectID,
Access: []*types.Policy{{Resource: resource, Action: rbac.ActionScannerPull}}, Access: []*types.Policy{
{Resource: resource, Action: rbac.ActionPull},
{Resource: resource, Action: rbac.ActionScannerPull},
},
} }
rb, err := bc.rc.CreateRobotAccount(robotReq) rb, err := bc.rc.CreateRobotAccount(robotReq)

View File

@ -25,7 +25,6 @@ import (
"github.com/goharbor/harbor/src/api/artifact" "github.com/goharbor/harbor/src/api/artifact"
"github.com/goharbor/harbor/src/common" "github.com/goharbor/harbor/src/common"
cj "github.com/goharbor/harbor/src/common/job" cj "github.com/goharbor/harbor/src/common/job"
cjm "github.com/goharbor/harbor/src/common/job/models"
jm "github.com/goharbor/harbor/src/common/job/models" jm "github.com/goharbor/harbor/src/common/job/models"
"github.com/goharbor/harbor/src/common/rbac" "github.com/goharbor/harbor/src/common/rbac"
"github.com/goharbor/harbor/src/jobservice/job" "github.com/goharbor/harbor/src/jobservice/job"
@ -168,10 +167,10 @@ func (suite *ControllerTestSuite) SetupSuite() {
rc := &MockRobotController{} rc := &MockRobotController{}
resource := fmt.Sprintf("/project/%d/repository", suite.artifact.ProjectID) resource := fmt.Sprintf("/project/%d/repository", suite.artifact.ProjectID)
access := []*types.Policy{{ access := []*types.Policy{
Resource: types.Resource(resource), {Resource: types.Resource(resource), Action: rbac.ActionPull},
Action: rbac.ActionScannerPull, {Resource: types.Resource(resource), Action: rbac.ActionScannerPull},
}} }
rname := "the-uuid-123" rname := "the-uuid-123"
account := &model.RobotCreate{ account := &model.RobotCreate{
@ -322,7 +321,7 @@ type MockJobServiceClient struct {
} }
// SubmitJob ... // SubmitJob ...
func (mjc *MockJobServiceClient) SubmitJob(jData *cjm.JobData) (string, error) { func (mjc *MockJobServiceClient) SubmitJob(jData *jm.JobData) (string, error) {
args := mjc.Called(jData) args := mjc.Called(jData)
return args.String(0), args.Error(1) return args.String(0), args.Error(1)