Unable to docker-ls repositories as non-admin user

[DavidRodHub]

From the command line running the following command as a non-admin user outputs "authorization rejected by registry".

$ docker-ls repositories --registry https://my.registry.org --user myuser --password mypassword

Running the same command as admin user outputs ALL repos as expected.

Is this as designed? If so, why aren't users that are able to log-in to Harbor, not able to list the repositories from the command line.

[DirtyHairy]

From what I can tell from your description, this works as designed. In case of token-based auth (which I assume harbor is using), the registry will request authorization to access scope registry:catalog:*. The client (docker-ls) will then connect to the auth server and request an access token for this scope, using the credentials to perform basic auth. It is up to the auth server to grant this, and in your case, it doesn't.

I don't know if harbor can be configured to grant this permission to ordinary users; the user guide suggests that this is available only to users that are assigned the SysAdmin role.

[jaychris]

You have to add non-admin users to every project in Harbor, or the repositories listing will fail (unless you are an admin user).

Alternatively, it might be simpler if you could specify a project in docker-ls, so that you could list all the containers in a specific project, instead of The World. For example, I don't care about user repos - but my non-privileged user is only a member of my main repo and it would be nice if I could list just that repo. Maybe a --project switch added to the repositories command...