Upstream/harbor
1
0
Fork 0
mirror of https://github.com/goharbor/harbor.git synced 2025-01-30 19:41:29 +01:00
Code Issues Projects Releases Wiki Activity

Add "*" to the claim set in the token for /v2 apis

Browse Source 
The "*" is used by notary server for permission checking:
84287fd8df/server/server.go (L200)
Hence, we need to add this into the JWT token such that actions like key
rotation can be executed.

Signed-off-by: Daniel Jiang <jiangd@vmware.com>
This commit is contained in:
Daniel Jiang 2021-03-02 17:12:00 +08:00
parent 3ecd60b84b
commit ef72c76e0e
2 changed files with 11 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
src/core/service/token/creator.go
View File

@ -200,6 +200,16 @@ func resourceScopes(ctx context.Context, rc rbac.Resource) map[string]struct{} {
res[s] = struct{}{} res[s] = struct{}{}
} }
} }
// "*" is needed in the token for some API in notary server
// see https://github.com/goharbor/harbor/issues/14303#issuecomment-788010900
// and https://github.com/theupdateframework/notary/blob/84287fd8df4f172c9a8289641cdfa355fc86989d/server/server.go#L200
_, ok1 := res["push"]
_, ok2 := res["pull"]
_, ok3 := res["delete"]
if ok1 && ok2 && ok3 {
res["*"] = struct{}{}
}
return res return res
} }

1
src/core/service/token/token_test.go
View File

@ -336,6 +336,7 @@ func TestResourceScopes(t *testing.T) {
"scanner-pull": {}, "scanner-pull": {},
"push": {}, "push": {},
"delete": {}, "delete": {},
"*": {},
}, },
}, },
{ {