Loading...

Details

Type: Bug
Resolution: Done
Priority: Critical
Fix Version/s: quay-v3.8.0, quay-v3.9.0
Affects Version/s: quay-v3.8.0
Component/s: quay
Labels:
- triaged

Blocked:
False
Blocked Reason:
None
Ready:
False

RICE Score:
0

Target Version:

quay-v3.8.0, quay-v3.9.0

SFDC Cases Links:
SFDC Cases Counter:

Description

Description:

This is a new issue of Quay 3.8.0 new feature "GLOBAL_READONLY_SUPER_USERS", after config user quay to the list of GLOBAL_READONLY_SUPER_USERS, found this user can still create new organizations, repo, etc. Pls review this issue.

GLOBAL_READONLY_SUPER_USERS:
- quay
SUPER_USERS:
- admin

Quay 3.8.0 user "quay" is configured as global readonly user:

Quay Image: quay-operator-bundle-container-v3.8.0-108

oc get pod
NAME                                       READY   STATUS      RESTARTS      AGE
quay-clair-app-5589b69bb4-2vmgw            1/1     Running     0             23m
quay-clair-app-5589b69bb4-z8v2d            1/1     Running     0             30m
quay-clair-postgres-5d96b69bd6-96vhz       1/1     Running     1 (29m ago)   30m
quay-operator.v3.8.0-7cc8fc8746-4sm2k      1/1     Running     0             89m
quay-quay-app-7cdf59974c-2dzjw             1/1     Running     0             18m
quay-quay-app-7cdf59974c-qtqpb             1/1     Running     0             19m
quay-quay-app-upgrade-p2xfm                0/1     Completed   0             30m
quay-quay-config-editor-86b5b9d4d9-8hbg8   1/1     Running     0             19m
quay-quay-database-68bc965664-mln5n        1/1     Running     0             30m
quay-quay-mirror-7944b5c448-bgn98          1/1     Running     0             18m
quay-quay-mirror-7944b5c448-z2gr2          1/1     Running     0             18m
quay-quay-redis-f4dbb587-5fp6c             1/1     Running     0             30m


cat conf/stack/config.yaml 
ALLOW_PULLS_WITHOUT_STRICT_LOGGING: false
AUTHENTICATION_TYPE: Database
BUILDLOGS_REDIS:
  host: quay-quay-redis
  port: 6379
DATABASE_SECRET_KEY: SYEGcAD2KK3mdiQBVca18PDt-cw62ORtRkypMuX47IxX14JP0oa56sl-ZcEvMrTWCD6lOVJ27xw-UKu1
DB_CONNECTION_ARGS:
  autorollback: true
  threadlocals: true
DB_URI: postgresql://quay-quay-database:g1xJRhxmyyG6v-5IW5y0UfHw3TOL4OeqFW6vy4ym6SH3ogeAcQV80LPFP85lBmmRou4NynpDACbx5kkV@quay-quay-database:5432/quay-quay-database
DEFAULT_TAG_EXPIRATION: 2w
DISTRIBUTED_STORAGE_CONFIG:
  local_us:
  - RHOCSStorage
  - access_key: oVwbfRSJNhwPIKULUt9k
    bucket_name: quay-datastore-88694230-a8c2-4769-9d70-85ca075c2c7d
    hostname: s3.openshift-storage.svc.cluster.local
    is_secure: true
    port: 443
    secret_key: TkH7k/IdSF1HvKTJkQAUogrV2wEoHm5ZHhuUxJoo
    storage_path: /datastorage/registry
DISTRIBUTED_STORAGE_DEFAULT_LOCATIONS:
- local_us
DISTRIBUTED_STORAGE_PREFERENCE:
- local_us
ENTERPRISE_LOGO_URL: /static/img/RH_Logo_Quay_Black_UX-horizontal.svg
EXTERNAL_TLS_TERMINATION: true
FEATURE_BUILD_SUPPORT: false
FEATURE_DIRECT_LOGIN: true
FEATURE_MAILING: false
FEATURE_PROXY_STORAGE: true
FEATURE_REPO_MIRROR: true
FEATURE_SECURITY_NOTIFICATIONS: true
FEATURE_SECURITY_SCANNER: true
FEATURE_STORAGE_REPLICATION: false
FEATURE_SUPERUSERS_FULL_ACCESS: true
FEATURE_UI_V2: true
GLOBAL_READONLY_SUPER_USERS:
- quay
PREFERRED_URL_SCHEME: https
REGISTRY_TITLE: Red Hat Quay
REGISTRY_TITLE_SHORT: Red Hat Quay
REPO_MIRROR_INTERVAL: 30
REPO_MIRROR_TLS_VERIFY: true
SECRET_KEY: buknreOv4FDQcR9mAgeuoLwaCVeuRYXqxg0WZsrk3NeVan3oHhK13Vn4r8dB82FNUSAid46P2wfkTcHT
SECURITY_SCANNER_INDEXING_INTERVAL: 30
SECURITY_SCANNER_V4_ENDPOINT: http://quay-clair-app.quay-enterprise-13325.svc.cluster.local
SECURITY_SCANNER_V4_NAMESPACE_WHITELIST:
- admin
SECURITY_SCANNER_V4_PSK: ek5HaEZ4SVMzb0dIeUNCNEpGYmo4bVRCc2lYNmNLLTA=
SERVER_HOSTNAME: quay-quay-quay-enterprise-13325.apps.quaytest-13325.qe.devcluster.openshift.com
SETUP_COMPLETE: true
SUPER_USERS:
- admin
TAG_EXPIRATION_OPTIONS:
- 2w
TEAM_RESYNC_STALE_TIME: 60m
TESTING: false
USER_EVENTS_REDIS:
  host: quay-quay-redis
  port: 6379