Uploaded image for project: 'Project Quay'
  1. Project Quay
  2. PROJQUAY-3980

Quay 3.7.2 pull from cache should check repository level permission on the team

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Not a Bug
    • Icon: Blocker Blocker
    • None
    • quay-v3.7.2
    • quay
    • None
    • False
    • None
    • False

      Description:

      This is a permission issue found when using Quay new feature "pull from cache", now there're two normal users 'test' and 'test2', these two users 'test' and 'test2' are on the vpteam team (the team has "Member" role), and user test2 can pull from any repositories in the testpullcache org regardless of the permission assigned to that team and without any default permissions set, the expected behavior should be the pull from cache with user2 should be failed with permission error.

      Quay Image: quay-operator-bundle-container-v3.7.2-7

      [root@quaysmpt centos]# podman pull quay370.apps.quayperf370.perfscale.devcluster.openshift.com/testpullcache/rhceph-dev/ocs-registry:latest-stable-4.10.4 --tls-verify=false --creds test:password
      Trying to pull quay370.apps.quayperf370.perfscale.devcluster.openshift.com/testpullcache/rhceph-dev/ocs-registry:latest-stable-4.10.4...
      Getting image source signatures
      Copying blob cbcd3be01d80 skipped: already exists
      Copying blob e9915e1e4567 skipped: already exists
      Copying blob 993443a6f038 skipped: already exists
      Copying blob 7b33a4a5ecee skipped: already exists
      Copying blob 0a73835e2b86 skipped: already exists
      Copying blob 78c4c43aaa34 skipped: already exists
      Copying config 3aca3675ed done
      Writing manifest to image destination
      Storing signatures
      3aca3675ed069c66c4d612c450e98c2abbb5d41ded7f0cac037e42b96a86db65 
      
      [root@quaysmpt centos]# podman pull quay370.apps.quayperf370.perfscale.devcluster.openshift.com/testpullcache/rhceph-dev/ocs-registry:latest-stable-4.10.4 --tls-verify=false --creds test2:password
      Trying to pull quay370.apps.quayperf370.perfscale.devcluster.openshift.com/testpullcache/rhceph-dev/ocs-registry:latest-stable-4.10.4...
      Getting image source signatures
      Copying blob cbcd3be01d80 skipped: already exists
      Copying blob e9915e1e4567 skipped: already exists
      Copying blob 993443a6f038 skipped: already exists
      Copying blob 7b33a4a5ecee skipped: already exists
      Copying blob 78c4c43aaa34 skipped: already exists
      Copying blob 0a73835e2b86 skipped: already exists
      Copying config 3aca3675ed done
      Writing manifest to image destination
      Storing signatures
      3aca3675ed069c66c4d612c450e98c2abbb5d41ded7f0cac037e42b96a86db65
      
      [root@quaysmpt centos]# podman pull quay370.apps.quayperf370.perfscale.devcluster.openshift.com/testpullcache/quay-qetest/postgres:latest --tls-verify=false --creds test2:password
      Trying to pull quay370.apps.quayperf370.perfscale.devcluster.openshift.com/testpullcache/quay-qetest/postgres:latest...
      Getting image source signatures
      Copying blob 6715a45abab9 done
      Copying blob 0c2fbc0e8f61 done
      Copying blob 022ce4385fc8 done
      Copying blob 3264bf5cab32 done
      Copying blob d46b9cbbd6bb done
      Copying blob f979a7c51fc8 done
      Copying blob 05fb8fb74e6b done
      Copying blob 6decf59621f7 done
      Copying blob 4e7d90144d3b done
      Copying blob 3c72a7c8d968 done
      Copying blob 4ab8e7d3b6cc done
      Copying blob f93b7d3396c2 done
      Copying blob ba3fba6b5d9d done
      Copying config 5b21e2e86a done
      Writing manifest to image destination
      Storing signatures
      5b21e2e86aab1630251ecfb5d0d715634c0965931e8f5ab5d2dc6bce3aeb92fa
      No repository level permissions assigned:

              fmissi Flavian Missi
              lzha1981 luffy zhang
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: