Uploaded image for project: 'Project Quay'
  1. Project Quay
  2. PROJQUAY-3806

Cannot pull from proxy org as non-admin member

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Critical
    • quay-v3.7.2, quay-v3.8.0
    • quay-v3.7.0, quay-v3.7.1
    • quay
    • False
    • None
    • False
    • 0

    Description

      The proxy registry model currently auto-creates repositories when an image is first pulled (and cached) via pull-thru proxy. If a user is not an org admin, this part of the flow is never reached, since the permission check halts the request before (and righteously so).

      Users creating a repository need the "push" action in their jwt token. This is added to the token in the /auth endpoint[1]. This endpoint also handles auto-creation of repositories when necessary[2].

      When pulling an image thru a proxy org, the jwt token will contain the "pull" action, causing Quay to deny pulls to a repository that hasn't yet been created (for all users who aren't org admin). 

      [1] https://github.com/quay/quay/blob/master/endpoints/v2/v2auth.py#L61
      [2] https://github.com/quay/quay/blob/master/endpoints/v2/v2auth.py#L285-L287

      Attachments

        Issue Links

          causes

          Bug - A problem that impairs or prevents the functions of the product. PROJQUAY-3980 Quay 3.7.2 pull from cache should check repository level permission on the team

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Closed
          is related to

          Task - Represents a small unit of work that is not end-user facing. PROJQUAY-3940 Create repository without owner

          • Normal - To be worked after urgent and high priorities are resolved. This term is chosen when the severity of an issue is relatively close to the level of effort to fix it. The existence of an easily implemented workaround can also lead to this priority level instead of a higher priority.
          • New
          links to

          GitHub quay/quay#1392: Revert "[redhat-3.7] fix: enable non-admins to cache images via pull-thru (PROJQUAY-3806)"

          Activity

            People

              fmissi Flavian Missi
              fmissi Flavian Missi
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: