Skip to content

[bug]: Poor validation/error message when creating robot with incompatible config (system vs project) #769

Open
#770
Open
[bug]: Poor validation/error message when creating robot with incompatible config (system vs project)#769
#770
Labels
bugSomething isn't working
@qcserestipy

Description

@qcserestipy
qcserestipy
opened on Mar 25, 2026

Description

A user has brought up an issue when attempting to create a robot account via the CLI using a configuration that specifies project-level permissions with a wildcard namespace.

The CLI returns the error:

Error: system robot configuration must include system-level permissions

From the user's perspective, this is confusing because the configuration explicitly defines "level": "project", yet the CLI appears to interpret the request as a system-level robot creation. Additionally, similar configurations appear to be accepted when using the Harbor UI.

Steps to Reproduce

  1. Run command:

    ./bin/harbor-cli robot create -r robot.json

  2. Use the following configuration:

    {
  "permissions":[
    {
      "access":[
        {
          "resource":"repository",
          "actions":["pull"]
        }
      ],
      "kind":"project",
      "namespace":"*"
    }
  ],
  "name":"test",
  "description":null,
  "duration":-1,
  "level":"project"
}

  3. Observe error:

    Error: system robot configuration must include system-level permissions

Expected Behavior

The behavior should be clarified or adjusted in one of the following ways:

  • The CLI should accept the configuration if this is a valid scenario (as suggested by UI behavior), or

  • The CLI should provide an early validation error clearly stating that:

    • robot create creates a system-level robot
    • "namespace": "*" is only valid for system robots
    • Project-level robots must be created using project robot create

The error message should guide the user toward the correct command and configuration.

Actual Behavior

The CLI returns a generic error requiring system-level permissions, which does not clearly explain:

  • Why the configuration is being treated as system-level
  • Why a project-level configuration is invalid in this context
  • What the correct alternative command or configuration should be

Environment

  • Tool version: latest harbor-cli
  • Harbor version: latest Harbor
  • Other relevant details: issue reproduced with wildcard namespace configuration

Conclusion

This combination results in a mismatch that is not clearly communicated to the user.

Improving early validation and error messaging would significantly improve usability and reduce confusion.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions