Version
"core": "3.43.2",
"container": "2.17.0"
Describe the bug
Requests to the /v2//tags/list endpoint succeed, but fail with a 401 when pagination query parameters are appended.
The same token is used for both requests, and just includes service=:
/token/?service=example.com
('pulp [813cd77a4cb44f64a4d8093505867076]: ::ffff:172.18.0.9 - - [15/Aug/2025:10:22:15 +0000] "GET /v2/stackhpc/neutron-server/tags/list HTTP/1.0" 200 3573 "-" "harbor-registry-client"',)
('pulp [bbf9921074914c1783ba2d5b40e7caf0]: ::ffff:172.18.0.9 - - [15/Aug/2025:10:22:15 +0000] "GET /v2/stackhpc/neutron-server/tags/list?n=100&last=2025.1-ubuntu-noble-20250725T143116 HTTP/1.0" 401 106 "https://example.com/v2/stackhpc/neutron-server/tags/list?n=100&last=2025.1-ubuntu-noble-20250725T143116" "harbor-registry-client"',)
If the token includes scope= (and account=) then the paginated call is successful.
/token/?account=REDACTED&scope=repository%3Astackhpc%2Fneutron-server%3Apull&service=example.com
('pulp [c726049738fb4854ab8b907da1e8f953]: ::ffff:172.18.0.9 - - [15/Aug/2025:12:27:10 +0000] "GET /v2/stackhpc/neutron-server/tags/list HTTP/1.0" 200 3573 "-" "skopeo/1.19.0"',)
('pulp [a247c47c7fa145269cd5fd8d16ff3b1c]: ::ffff:172.18.0.9 - - [15/Aug/2025:12:33:41 +0000] "GET /v2/stackhpc/neutron-server/tags/list?n=100&last=2025.1-ubuntu-noble-20250725T143116 HTTP/1.0" 200 480 "-" "skopeo/1.19.0"',)
I'm not sure what the correct behaviour for the registry v2 protocol is, but there is enough variety in the client implementation that something like Skopeo (which requests the repository= scope in its token) can always list tags from a repository, whether it has more than 100 tags or not, but Harbor's "Docker registry" provider can't if there are more than 100 tags in the repository.
To Reproduce
Use skopeo list-tags or setup a replication rule using Harbor's Docker registry provider on a repository with more than 100 tags and observe the difference in behaviour.
Expected behavior
The paginated version of /v2//tags/list should be behind the same authentication as the bare endpoint.
Version
"core": "3.43.2",
"container": "2.17.0"
Describe the bug
Requests to the /v2//tags/list endpoint succeed, but fail with a 401 when pagination query parameters are appended.
The same token is used for both requests, and just includes
service=:If the token includes
scope=(andaccount=) then the paginated call is successful.I'm not sure what the correct behaviour for the registry v2 protocol is, but there is enough variety in the client implementation that something like Skopeo (which requests the
repository=scope in its token) can always list tags from a repository, whether it has more than 100 tags or not, but Harbor's "Docker registry" provider can't if there are more than 100 tags in the repository.To Reproduce
Use
skopeo list-tagsor setup a replication rule using Harbor's Docker registry provider on a repository with more than 100 tags and observe the difference in behaviour.Expected behavior
The paginated version of /v2//tags/list should be behind the same authentication as the bare endpoint.