-
Notifications
You must be signed in to change notification settings - Fork 4.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Developer Role unable to retag images via UI #21042
Comments
I just found this issue #20382, which appears to be the same issue, just via API rather than the web UI. Appears there are others with similar complaints. For what it's worth, the retag permission is granted to all users in the Guest role or higher (including Developer) according to the docs, so I would expect it to work via the UI (and API) as well. Developer role does not have access to delete tags, so doing it as a 2-step process is not possible. I don't think granting everyone Maintainer or Admin access is a valid path forward, nor is it clear in the docs that this would even resolve this use-case. If desired, we could add a warning prompt about the tag already existing. At the very least, the docs should be updated to clarify this access is only granted via Docker CLI. Though again, I believe this should be allowed within the Harbor API/UI. |
In the OCI world, the combination of the repository and tag serves as the unique identifier. Based on your description, the error you encountered in step 4 is the expected behavior. The tag You can achieve this using the Docker CLI, as it facilitates the removal and reassignment of tags from one artifact to another in the backend. From my understanding, you would like to see a button that allows for the migration of a tag from one artifact to another. |
Current semantic of the API is to "add tag" to an artifact, Harbor has a check to make sure the tag is not added to another artifact. It would be a break change of API if we remove this check and IMO it's not a high priority. It may be handy for some user but problematic for others. |
I wouldn't expect the tag to be blindly replaced, but a warning prompt (and possibly an override option for the appropriate access level) seems perfectly reasonable to me. It doesn't necessarily need to be an API change because the web app could simply fire off two API calls (one remove, one add). I envision this as a simple check for the returned "tag already exists" error, and if the user has correct access, a modal prompt for "do you want to retag to artifact ?". If yes, then fire off a delete of the existing tag then another add tag call which should succeed now. The only problem is that Developers can't delete tags, so a separate "retag" API is likely the better path forward. Adding new API endpoints should never be a breaking change IMO. At the bare minimum, the docs should be updated to indicate the "retag" action is only doable via docker CLI, because the Developer role does not have access to delete tags and therefore cannot do the manual 2-step process via Harbor UI or API. |
If you are reporting a problem, please make sure the following information are provided:
Expected behavior and actual behavior:
We have users with the Developer role.
Working within the Harbor UI, they are able to manually assign new tags to images, however, they are unable to assign existing tags to images.
To clarify, if a separate image hash is already tagged "abcd", they will be unable to "Add Tag" with the name "abcd".
Doing this through the docker CLI works correctly (and assuming your docker CLI is authenticated to Harbor with a user assigned the "Developer" role)
Steps to reproduce the problem:
sha256:4c3d11be
in above screenshot)Versions:
Please specify the versions of following systems.
Additional context:
(I don't believe these are relevant to my report, but I can provide them if requested)
The text was updated successfully, but these errors were encountered: