mirror of
https://github.com/goharbor/harbor.git
synced 2024-11-30 14:13:43 +01:00
fix(scan): assign repository pull access policy to robot account when scan artifact (#11109)
The v2auth middleware will check whether the requestor has the pull or push permissions for the repository, and forbid the request when the requestor does not have the permission. We need to assign repository pulling permission to the robot account for the scanner, otherwise scanner will be failed to pull the artifact. Signed-off-by: He Weiwei <hweiwei@vmware.com>
This commit is contained in:
parent
f8983fe198
commit
e3c5c37668
@ -523,7 +523,10 @@ func (bc *basicController) makeRobotAccount(projectID int64, repository string)
|
|||||||
Name: UUID,
|
Name: UUID,
|
||||||
Description: "for scan",
|
Description: "for scan",
|
||||||
ProjectID: projectID,
|
ProjectID: projectID,
|
||||||
Access: []*types.Policy{{Resource: resource, Action: rbac.ActionScannerPull}},
|
Access: []*types.Policy{
|
||||||
|
{Resource: resource, Action: rbac.ActionPull},
|
||||||
|
{Resource: resource, Action: rbac.ActionScannerPull},
|
||||||
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
rb, err := bc.rc.CreateRobotAccount(robotReq)
|
rb, err := bc.rc.CreateRobotAccount(robotReq)
|
||||||
|
@ -25,7 +25,6 @@ import (
|
|||||||
"github.com/goharbor/harbor/src/api/artifact"
|
"github.com/goharbor/harbor/src/api/artifact"
|
||||||
"github.com/goharbor/harbor/src/common"
|
"github.com/goharbor/harbor/src/common"
|
||||||
cj "github.com/goharbor/harbor/src/common/job"
|
cj "github.com/goharbor/harbor/src/common/job"
|
||||||
cjm "github.com/goharbor/harbor/src/common/job/models"
|
|
||||||
jm "github.com/goharbor/harbor/src/common/job/models"
|
jm "github.com/goharbor/harbor/src/common/job/models"
|
||||||
"github.com/goharbor/harbor/src/common/rbac"
|
"github.com/goharbor/harbor/src/common/rbac"
|
||||||
"github.com/goharbor/harbor/src/jobservice/job"
|
"github.com/goharbor/harbor/src/jobservice/job"
|
||||||
@ -168,10 +167,10 @@ func (suite *ControllerTestSuite) SetupSuite() {
|
|||||||
rc := &MockRobotController{}
|
rc := &MockRobotController{}
|
||||||
|
|
||||||
resource := fmt.Sprintf("/project/%d/repository", suite.artifact.ProjectID)
|
resource := fmt.Sprintf("/project/%d/repository", suite.artifact.ProjectID)
|
||||||
access := []*types.Policy{{
|
access := []*types.Policy{
|
||||||
Resource: types.Resource(resource),
|
{Resource: types.Resource(resource), Action: rbac.ActionPull},
|
||||||
Action: rbac.ActionScannerPull,
|
{Resource: types.Resource(resource), Action: rbac.ActionScannerPull},
|
||||||
}}
|
}
|
||||||
|
|
||||||
rname := "the-uuid-123"
|
rname := "the-uuid-123"
|
||||||
account := &model.RobotCreate{
|
account := &model.RobotCreate{
|
||||||
@ -322,7 +321,7 @@ type MockJobServiceClient struct {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// SubmitJob ...
|
// SubmitJob ...
|
||||||
func (mjc *MockJobServiceClient) SubmitJob(jData *cjm.JobData) (string, error) {
|
func (mjc *MockJobServiceClient) SubmitJob(jData *jm.JobData) (string, error) {
|
||||||
args := mjc.Called(jData)
|
args := mjc.Called(jData)
|
||||||
|
|
||||||
return args.String(0), args.Error(1)
|
return args.String(0), args.Error(1)
|
||||||
|
Loading…
Reference in New Issue
Block a user