修改 Harbor 项目权限提示 Internal Server Error
目录
问题描述
修改 Harbor 项目权限时,提示 internal server error。
根本原因
Harbor 使用的 Redis 不支持 keys 命令。
排查步骤
查看 Harbor Core Deployment 的日志,确认是否存在如下错误信息:
2024-12-11T06:36:11Z [ERROR] [/lib/http/error.go:56]: {"errors":[{"code":"UNKNOWN","message":"unknown: NOPERM this user has no permissions to run the 'keys' command or its subcommand"}]}
2024-12-11T06:36:11Z [ERROR] [/lib/http/error.go:56]: {"errors":[{"code":"UNKNOWN","message":"unknown: NOPERM this user has no permissions to run the 'keys' command or its subcommand"}]}
2024-12-11T06:36:16Z [ERROR] [/lib/http/error.go:56]: {"errors":[{"code":"UNKNOWN","message":"unknown: NOPERM this user has no permissions to run the 'keys' command or its subcommand"}]}
2024-12-11T06:36:17Z [ERROR] [/lib/http/error.go:56]: {"errors":[{"code":"UNKNOWN","message":"unknown: NOPERM this user has no permissions to run the 'keys' command or its subcommand"}]}
解决方案
使用 Alauda Cache Service for Redis OSS
在 redis 部署所在的命名空间中,修改名为 default 的 redisuser 配置,移除 -keys 配置。
[root@demo1-gm1 ~]# kubectl get redisuser
NAME INSTANCE USERNAME PHASE AGE
rfr-acl-harbor-harbor-demo1-redis-default harbor-harbor-demo1-redis default Success 44d
rfr-acl-harbor-harbor-demo1-redis-operator harbor-harbor-demo1-redis operator Success 44d
[root@demo1-gm1 ~]# kubectl edit redisuser default -n <namespace>
修改前:
# ...
spec:
accountType: default
aclRules: +@all -acl -flushall -flushdb -keys -* // 移除“-keys”配置
arch: sentinel
passwordSecrets:
- harbor-demo1-redis-password
redisName: harbor-harbor-demo1-redis
username: default
status:
phase: Success
lastUpdateSuccess: "2024-12-11T08:40:17Z"
修改后:
# ...
spec:
accountType: default
aclRules: +@all -acl -flushall -flushdb -* // 此行为修改内容
arch: sentinel
passwordSecrets:
- harbor-demo1-redis-password
redisName: harbor-harbor-demo1-redis
username: default
status:
phase: Success
lastUpdateSuccess: "2024-12-11T08:40:17Z"
使用自建 Redis
自建 Redis 实例请参考 Redis ACL 文档,检查并修改命令权限控制。
注意事项
由于 keys 命令会扫描所有索引,导致 Redis 服务阻塞,请谨慎考虑是否长期开启该命令权限。
相关内容
