Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

sporadically no login possible permanently 401 // an unauthorized security context generated #21647

Open
StefanSa opened this issue Feb 17, 2025 · 0 comments
Open

sporadically no login possible permanently 401 // an unauthorized security context generated #21647

StefanSa opened this issue Feb 17, 2025 · 0 comments
Labels
kind/question

Comments

@StefanSa
Copy link

Expected behavior and actual behavior:
i use the latest Harbor docker images from bitnami.
additionally i have traefik in front as a proxy with a a little customized nginx config.
this works over a certain period of time without any problems. however, for some unknown reason,
i am either logged out during a session or cannot log in at all.
Often only a restart of the Harbor stack helps here.

Here is the error message:

2025-02-17T13:22:54Z [DEBUG] [/server/middleware/security/unauthorized.go:28][requestID="8bb28dff-62ab-4feb-83dd-68925eff21bc" traceID="1a3279edf3fa6d01c5252ebaa2c8fda1"]: an unauthorized security context generated for request GET /api/v2.0/labels

2025-02-17T13:22:54Z [DEBUG] [/server/middleware/security/unauthorized.go:28][requestID="f34ae086-7ac8-4193-849c-35fcfbc888a3" traceID="55609e1e372df527901c6239c1b6b379"]: an unauthorized security context generated for request GET /api/v2.0/registries

2025-02-17T13:22:54Z [DEBUG] [/server/middleware/security/unauthorized.go:28][requestID="2fdd3c75-8117-4c2a-8957-4a39c11f6e24" traceID="2e1d58ef7b86e080afbfc4f59972dec8"]: an unauthorized security context generated for request GET /api/v2.0/jobservice/pools

2025-02-17T13:22:54Z [DEBUG] [/server/middleware/security/unauthorized.go:28][requestID="301068b8-a526-406f-9140-762f2c7458dd" traceID="5585a8916986903fcef988174ca3154c"]: an unauthorized security context generated for request GET /api/v2.0/schedules/all/paused

2025-02-17T13:22:54Z [DEBUG] [/lib/http/error.go:62]: {"errors":[{"code":"UNAUTHORIZED","message":"unauthorized"}]}

2025-02-17T13:22:54Z [DEBUG] [/lib/http/error.go:62]: {"errors":[{"code":"UNAUTHORIZED","message":"unauthorized"}]}

2025-02-17T13:22:54Z [DEBUG] [/lib/http/error.go:62]: {"errors":[{"code":"UNAUTHORIZED","message":"unauthorized"}]}

2025-02-17T13:22:54Z [DEBUG] [/server/middleware/log/log.go:31]: attach request id 4617751f-e3bf-4268-b3e9-c264485d9ac2 to the logger for the request GET /api/v2.0/replication/policies

2025-02-17T13:22:54Z [DEBUG] [/server/middleware/artifactinfo/artifact_info.go:55]: In artifact info middleware, url: /api/v2.0/replication/policies?page_size=5&page=1

2025-02-17T13:22:54Z [DEBUG] [/server/middleware/security/unauthorized.go:28][requestID="4617751f-e3bf-4268-b3e9-c264485d9ac2" traceID="64884e7cee97ac3b48a573996d003443"]: an unauthorized security context generated for request GET /api/v2.0/replication/policies

2025-02-17T13:22:54Z [DEBUG] [/lib/http/error.go:62]: {"errors":[{"code":"UNAUTHORIZED","message":"unauthorized"}]}

2025-02-17T13:22:54Z [DEBUG] [/server/middleware/log/log.go:31]: attach request id 002eca63-bd4d-4388-a764-0b1f0355b14e to the logger for the request GET /api/v2.0/users/current

2025-02-17T13:22:54Z [DEBUG] [/server/middleware/artifactinfo/artifact_info.go:55]: In artifact info middleware, url: /api/v2.0/users/current

2025-02-17T13:22:54Z [DEBUG] [/server/middleware/security/unauthorized.go:28][requestID="002eca63-bd4d-4388-a764-0b1f0355b14e" traceID="f693499a7b3837717338340d57ab1fca"]: an unauthorized security context generated for request GET /api/v2.0/users/current

2025-02-17T13:22:54Z [DEBUG] [/lib/http/error.go:62]: {"errors":[{"code":"UNAUTHORIZED","message":"unauthorized"}]}

2025-02-17T13:23:10Z [DEBUG] [/pkg/task/dao/execution.go:498]: skip to refresh, no outdate execution status found

docker compose / stack file:

services:
  core:
    environment:
      _REDIS_URL_CORE: redis://redis:6379/0
      _REDIS_URL_REG: redis://redis:6379/1
      ADMIRAL_URL: ""
      CHART_CACHE_DRIVER: redis
      CORE_KEY: change-this-key
      CORE_SECRET: CHANGEME
      CORE_URL: http://core:8080
      DATABASE_TYPE: postgresql
      EXT_ENDPOINT: https://harbor.feltengroup.local
      HARBOR_ADMIN_PASSWORD: bitnami
      JOBSERVICE_SECRET: CHANGEME
      JOBSERVICE_URL: http://jobservice:8080
      LOG_LEVEL: debug
      PORT: "8080"
      POSTGRESQL_DATABASE: registry
      POSTGRESQL_HOST: postgresql
      POSTGRESQL_PASSWORD: bitnami
      POSTGRESQL_PORT: "5432"
      POSTGRESQL_SSLMODE: disable
      POSTGRESQL_USERNAME: postgres
      READ_ONLY: "false"
      REGISTRY_CONTROLLER_URL: http://registryctl:8080
      REGISTRY_CREDENTIAL_PASSWORD: harbor_registry_password
      REGISTRY_CREDENTIAL_USERNAME: harbor_registry_user
      REGISTRY_STORAGE_PROVIDER_NAME: filesystem
      REGISTRY_URL: http://registry:5000
      RELOAD_KEY: ""
      SYNC_REGISTRY: "false"
      TOKEN_SERVICE_URL: http://core:8080/service/token
    image: docker.io/bitnami/harbor-core:2
    labels:
      metrics.grafana.com/scrape: "false"
    networks:
      internalnetwork: null
    configs:
      - source: core_config_file
        target: /etc/core/app.conf
      - source: core_privat_key
        target: /etc/core/private_key.pem
    deploy:
      placement:
        constraints:
          - node.role == worker
      mode: replicated
      endpoint_mode: dnsrr
      replicas: 1
      restart_policy:
        condition: any
    volumes:
      - type: bind
        source: /mnt/nfs/harbor/core_data
        target: /data
        bind:
          create_host_path: true

  harbor-nginx:
    image: bitnami/nginx:latest
    labels:
      metrics.grafana.com/scrape: "false"
    networks:
      internalnetwork: null
    deploy:
      labels:
        traefik.enable: "true"
        traefik.swarm.network: internalnetwork
        traefik.constraint-label: traefik-public

        traefik.http.routers.harbor_proxy.rule: Host(`harbor.feltengroup.local`)
        traefik.http.routers.harbor_proxy.tls: "true"
        traefik.http.routers.harbor_proxy.entrypoints: "https"
        traefik.http.routers.harbor_proxy.middlewares: harbor_proxy_sslheaders,harbor_proxy_https
        traefik.http.services.harbor_proxy.loadbalancer.server.port: 8080
        traefik.http.middlewares.harbor_proxy_sslheaders.headers.sslProxyHeaders.X-Forwarded-Proto: https
        traefik.http.middlewares.harbor_proxy_https.redirectscheme.scheme: https        
      placement:
        constraints:
          - node.role == worker
      mode: replicated
      endpoint_mode: dnsrr
      replicas: 1
      restart_policy:
        condition: any
    configs:
      - source: nginx_config_file
        target: /opt/bitnami/nginx/conf/nginx.conf

  jobservice:
    environment:
      CORE_SECRET: CHANGEME
      CORE_URL: http://core:8080
      JOBSERVICE_SECRET: CHANGEME
      REGISTRY_CONTROLLER_URL: http://registryctl:8080
      REGISTRY_CREDENTIAL_PASSWORD: harbor_registry_password
      REGISTRY_CREDENTIAL_USERNAME: harbor_registry_user
    image: bitnami/harbor-jobservice:2
    labels:
      metrics.grafana.com/scrape: "false"
    networks:
      internalnetwork: null
    configs:
      - source: jobservice_config_file
        target: /etc/jobservice/config.yml
    deploy:
      placement:
        constraints:
          - node.role == worker
      mode: replicated
      endpoint_mode: dnsrr
      replicas: 1
      restart_policy:
        condition: any
    volumes:
      - type: bind
        source: /mnt/nfs/harbor/jobservice_data
        target: /var/log/jobs
        bind:
          create_host_path: true

  portal:
    image: bitnami/harbor-portal
    labels:
      metrics.grafana.com/scrape: "false"
    deploy:
      placement:
        constraints:
          - node.role == worker
      endpoint_mode: dnsrr
      mode: replicated
      endpoint_mode: dnsrr
      replicas: 1
      restart_policy:
        condition: any
    networks:
      internalnetwork: null

  postgresql:
    environment:
      POSTGRESQL_DATABASE: registry
      POSTGRESQL_PASSWORD: bitnami
    image: bitnami/postgresql:14
    labels:
      metrics.grafana.com/scrape: "false"
    deploy:
      placement:
        constraints:
          - node.role == worker
      endpoint_mode: dnsrr
      mode: replicated
      endpoint_mode: dnsrr
      replicas: 1
      restart_policy:
        condition: any
    networks:
      internalnetwork: null
    volumes:
      - type: bind
        source: /mnt/nfs/harbor
        target: /bitnami/postgresql
        bind:
          create_host_path: true

  trivy:
    environment:
      SCANNER_TRIVY_VOLUME_DIR: /bitnami/harbor-adapter-trivy
      SCANNER_TRIVY_CACHE_DIR: /bitnami/harbor-adapter-trivy/.cache/trivy
      SCANNER_TRIVY_REPORTS_DIR: /bitnami/harbor-adapter-trivy/.cache/reports
      SCANNER_REDIS_URL: redis://redis:6379
      SCANNER_TRIVY_INSECURE: "true"
    image: bitnami/harbor-adapter-trivy:latest
    labels:
      metrics.grafana.com/scrape: "false"
    deploy:
      placement:
        constraints:
          - node.role == worker
      endpoint_mode: dnsrr
      mode: replicated
      replicas: 1
      restart_policy:
        condition: any
    networks:
      internalnetwork: null
    volumes:
      - type: bind
        source: /mnt/nfs/harbor/trivy
        target: /bitnami
        bind:
          create_host_path: true

  redis:
    environment:
      ALLOW_EMPTY_PASSWORD: "yes"
    image: bitnami/redis:latest
    labels:
      metrics.grafana.com/scrape: "false"
    deploy:
      placement:
        constraints:
          - node.role == worker
      mode: replicated
      endpoint_mode: dnsrr
      replicas: 1
      restart_policy:
        condition: any
    networks:
      internalnetwork: null

  registry:
    environment:
      REGISTRY_HTTP_SECRET: CHANGEME
    image: bitnami/harbor-registry:2
    labels:
      metrics.grafana.com/scrape: "false"
    deploy:
      placement:
        constraints:
          - node.role == worker
      mode: replicated
      endpoint_mode: dnsrr
      replicas: 1
      restart_policy:
        condition: any
    networks:
      internalnetwork: null
    volumes:
      - type: bind
        source: /mnt/nfs/harbor/registry_data
        target: /storage
        bind:
          create_host_path: true
    configs:
      - source: registry_config_file
        target: /etc/registry/config.yml
      - source: registry_root_cert
        target: /etc/registry/root.crt
      - source: regitry_user_file
        target: /etc/registry/passwd

  registryctl:
    environment:
      CORE_SECRET: CHANGEME
      JOBSERVICE_SECRET: CHANGEME
      REGISTRY_HTTP_SECRET: CHANGEME
    image: bitnami/harbor-registryctl:2
    labels:
      metrics.grafana.com/scrape: "false"
    deploy:
      placement:
        constraints:
          - node.role == worker
      mode: replicated
      endpoint_mode: dnsrr
      replicas: 1
      restart_policy:
        condition: any
    networks:
      internalnetwork: null
    configs:
      - source: registryctl_config_file
        target: /etc/registryctl/config.yml
      - source: registry_config_file
        target: /etc/registry/config.yml
      - source: registry_root_cert
        target: /etc/registry/root.crt
      - source: regitry_user_file
        target: /etc/registry/passwd
    volumes:
      - type: bind
        source: /mnt/nfs/harbor/registry_data
        target: /storage
        bind:
          create_host_path: true

networks:
  internalnetwork:
    name: internalnetwork
    external: true

configs:
  registryctl_config_file:
    file: ./config/registryctl/config.yml
  registry_config_file:
    file: ./config/registry/config.yml
  registry_root_cert:
    file: ./config/registry/root.crt
  regitry_user_file:
    file: ./config/registry/passwd
  jobservice_config_file:
    file: ./config/jobservice/config.yml
  nginx_config_file:
    file: ./config/proxy/nginx.conf
  core_config_file:
    file: ./config/core/app.conf
  core_privat_key:
    file: ./config/core/private_key.pem

nginx,conf

worker_processes auto;
error_log         "/opt/bitnami/nginx/logs/error.log";
pid               "/opt/bitnami/nginx/tmp/nginx.pid";

events {
  worker_connections 1024;
  use epoll;
  multi_accept on;
}

http {
  tcp_nodelay on;

  # this is necessary for us to be able to disable request buffering in all cases
  proxy_http_version 1.1;

  upstream core {
    server core:8080;
  }

  upstream portal {
    server portal:8080;
  }

  log_format timed_combined '$remote_addr - '
    '"$request" $status $body_bytes_sent '
    '"$http_referer" "$http_user_agent" '
    '$request_time $upstream_response_time $pipe';

  client_body_temp_path  "/opt/bitnami/nginx/tmp/client_body" 1 2;
  proxy_temp_path        "/opt/bitnami/nginx/tmp/proxy" 1 2;
  fastcgi_temp_path      "/opt/bitnami/nginx/tmp/fastcgi" 1 2;
  scgi_temp_path         "/opt/bitnami/nginx/tmp/scgi" 1 2;
  uwsgi_temp_path        "/opt/bitnami/nginx/tmp/uwsgi" 1 2;

  server {
    listen 8080;
    server_tokens off;
    # disable any limits to avoid HTTP 413 for large image uploads
    client_max_body_size 0;

    # costumized location config file can place to /opt/bitnami/nginx/conf with prefix harbor.http. and suffix .conf
    include /opt/bitnami/conf/nginx/conf.d/harbor.http.*.conf;

    location / {
      proxy_pass http://portal/;
      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

      # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
      #proxy_set_header X-Forwarded-Proto $scheme;

      proxy_buffering off;
      proxy_request_buffering off;
    }

    location /c/ {
      proxy_pass http://core/c/;
      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

      # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
      #proxy_set_header X-Forwarded-Proto $scheme;

      proxy_buffering off;
      proxy_request_buffering off;
    }

    location /api/ {
      proxy_pass http://core/api/;
      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

      # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
      #proxy_set_header X-Forwarded-Proto $scheme;

      proxy_buffering off;
      proxy_request_buffering off;
    }

    location /chartrepo/ {
      proxy_pass http://core/chartrepo/;
      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

      # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
      #proxy_set_header X-Forwarded-Proto $scheme;

      proxy_buffering off;
      proxy_request_buffering off;
    }

    location /v1/ {
      return 404;
    }

    location /v2/ {
      proxy_pass http://core/v2/;
      proxy_set_header Host $http_host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

      # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
      #proxy_set_header X-Forwarded-Proto $scheme;
      proxy_buffering off;
      proxy_request_buffering off;
    }

    location /service/ {
      proxy_pass http://core/service/;
      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

      # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
      #proxy_set_header X-Forwarded-Proto $scheme;

      proxy_buffering off;
      proxy_request_buffering off;
    }

    location /service/notifications {
      return 404;
    }
  }
}

Any idea what the problem could be?
Thanks for any help

Versions:
Please specify the versions of following systems.

  • harbor version: latest
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Vad1mo @StefanSa