Customer Problem: As a Quay administrator I need to be able to discover and control all content, organisations and teams on the registry for compliance and operational reasons. I have direct responsibility for the content and availability of the registry. Usually I am also the support contact for teams when they have difficulty providing or getting access to organizations, teams and images. E.g. when employees leaves or projects are finished.
Goal: The superuser in Quay as actual super powers in the system, so that they can see and manipulate all content.
Why is this important: Currently the superuser is responsible for overall platform configuration. However the superuser cannot see all organizations' content by default and in order to manage it an explicit takeover has to take place. While this is a reasonable security pre-caution for Quay.io in an enterprise setting this quickly becomes a management burden.
- superuser can see all organization and all repositories (including user home organizations)
- superuser can control and manage all organizations and content
- superuser can introspect all content (layer info, CVEs, pull stats)
- supers can see and manage all organization settings like storage quota or pull-thru proxy cache state
superuser can see all mirrored repositories, their sync state and interval superuser can see mirroring queue backlog in order to determine bottlenecks superuser can see scanning queue backlog in order to determine bottlenecks
- any superuser action on tenant content can be audited
- the superuser access to all content and organizations can be disabled via a feature flag in the config bundle