Allow Robot Accounts to Manage Robots with Full Permissions

[melak-cmd]

Expected behavior and actual behavior:

When you have a Robot account system with the following permissions:

Project [Create, List]
Robot Account [Create, Delete, List, Read]

And you check the "Cover all projects" option, along with selecting the Repository [Pull] action, the expected behavior is that the Robot account should be able to perform all the specified actions across all projects.

However, the actual behavior you are observing is that the Robot account is not able to perform the selected actions as expected :

{"errors":[{"code":"DENIED","message":"permission scope is invalid. It must be equal to or more restrictive than the creator robot's permissions: robot$crossplane"}]}

Steps to reproduce the problem:

curl -k -X 'POST' 'https:///api/v2.0/robots' -u 'robot$crossplane:' -H 'Content-Type: application/json' -d '{"name": "puller","description": "puller","level": "system","duration": -1,"permissions": [{"kind": "project","namespace": "dev","access":[{"resource": "repository","action": "pull"}]}]}'

Versions:
Please specify the versions of the following systems:

• Harbor version: v2.12.0-9da38ae0

Additional context:

[stonezdj]

For security consideration, the created robot account's permission should never exceed the creator robot account. as you can see in the error log: permission scope is invalid. It must be equal to or more restrictive than the creator robot's permissions: robot$crossplane
Robot account A has no permission of pull repository, so it can not create a robot account with pull repository permission

[melak-cmd]

For security consideration, the created robot account's permission should never exceed the creator robot account. as you can see in the error log: permission scope is invalid. It must be equal to or more restrictive than the creator robot's permissions: robot$crossplane Robot account A has no permission of pull repository, so it can not create a robot account with pull repository permission

Okay, but if you select only project-by-project, this will work fine.

[reasonerjt]

Closing the issue b/c it's working as designed.

[flbla]

Hi,
I disagree, the Robot A has the permission to pull on any repositories of any projects, it's configure with "Cover all projects".
As Robot A can pull any repositories of any projects
Robot B should be able to pull only a specific project.
Pull on a single project is "equal to or more restrictive than the creator robot" which can pull on ANY projects

[Vad1mo]

I would also have expected that the child robot account has the same right as its parent but can also have less.
Do I understand it correctly that currently, the child system robot account is just a carbon copy of its parent?

Can we have a bit of a structured approach on what is working on project/system level and what not.
From there we can conclude if this is within the spec or needs rework!

[antoine-sncf]

Summary table

robot used -->	withCoverAllProjects	with3ProjectsA&B&C
create robot with All project	OK	Rejected ? (untested)
create robot with 2 project A&B	Rejected (expected OK)	OK

same thing as list:

robo system:"robotcreator"

• system: create robot
• projet: cover all project > pull

** via robo robotcreator: **
robo system:projet123

• projet: cover all project > pull
  OK
  robo system:projet123-2
• projet: projectA & projectB > pull
  Rejected

robo system:"robotcreator2"

• system: create robot
• projet: projectA & projectB & projectC > pull

** via robo robotcreator2: **
robo system:projet123

• projet: cover all project > pull
  Rejected ? (didn't test)
  robo system:projet123-2
• projet: projectA & projectB > pull
  OK

[reasonerjt]

@antoine-sncf
Thanks for clarifying, we'll follow-up

[antoine-sncf]

End user testing validated Friday. Thank you for your work on this topic.