-
Bug
-
Resolution: Done
-
Critical
-
quay-v3.8.0
Description:
This is a new issue of Quay 3.8.0 new feature "GLOBAL_READONLY_SUPER_USERS", after config user quay to the list of GLOBAL_READONLY_SUPER_USERS, found this user can still create new organizations, repo, etc. Pls review this issue.
GLOBAL_READONLY_SUPER_USERS: - quay SUPER_USERS: - admin
Quay 3.8.0 user "quay" is configured as global readonly user:
Quay Image: quay-operator-bundle-container-v3.8.0-108
oc get pod NAME READY STATUS RESTARTS AGE quay-clair-app-5589b69bb4-2vmgw 1/1 Running 0 23m quay-clair-app-5589b69bb4-z8v2d 1/1 Running 0 30m quay-clair-postgres-5d96b69bd6-96vhz 1/1 Running 1 (29m ago) 30m quay-operator.v3.8.0-7cc8fc8746-4sm2k 1/1 Running 0 89m quay-quay-app-7cdf59974c-2dzjw 1/1 Running 0 18m quay-quay-app-7cdf59974c-qtqpb 1/1 Running 0 19m quay-quay-app-upgrade-p2xfm 0/1 Completed 0 30m quay-quay-config-editor-86b5b9d4d9-8hbg8 1/1 Running 0 19m quay-quay-database-68bc965664-mln5n 1/1 Running 0 30m quay-quay-mirror-7944b5c448-bgn98 1/1 Running 0 18m quay-quay-mirror-7944b5c448-z2gr2 1/1 Running 0 18m quay-quay-redis-f4dbb587-5fp6c 1/1 Running 0 30m cat conf/stack/config.yaml ALLOW_PULLS_WITHOUT_STRICT_LOGGING: false AUTHENTICATION_TYPE: Database BUILDLOGS_REDIS: host: quay-quay-redis port: 6379 DATABASE_SECRET_KEY: SYEGcAD2KK3mdiQBVca18PDt-cw62ORtRkypMuX47IxX14JP0oa56sl-ZcEvMrTWCD6lOVJ27xw-UKu1 DB_CONNECTION_ARGS: autorollback: true threadlocals: true DB_URI: postgresql://quay-quay-database:g1xJRhxmyyG6v-5IW5y0UfHw3TOL4OeqFW6vy4ym6SH3ogeAcQV80LPFP85lBmmRou4NynpDACbx5kkV@quay-quay-database:5432/quay-quay-database DEFAULT_TAG_EXPIRATION: 2w DISTRIBUTED_STORAGE_CONFIG: local_us: - RHOCSStorage - access_key: oVwbfRSJNhwPIKULUt9k bucket_name: quay-datastore-88694230-a8c2-4769-9d70-85ca075c2c7d hostname: s3.openshift-storage.svc.cluster.local is_secure: true port: 443 secret_key: TkH7k/IdSF1HvKTJkQAUogrV2wEoHm5ZHhuUxJoo storage_path: /datastorage/registry DISTRIBUTED_STORAGE_DEFAULT_LOCATIONS: - local_us DISTRIBUTED_STORAGE_PREFERENCE: - local_us ENTERPRISE_LOGO_URL: /static/img/RH_Logo_Quay_Black_UX-horizontal.svg EXTERNAL_TLS_TERMINATION: true FEATURE_BUILD_SUPPORT: false FEATURE_DIRECT_LOGIN: true FEATURE_MAILING: false FEATURE_PROXY_STORAGE: true FEATURE_REPO_MIRROR: true FEATURE_SECURITY_NOTIFICATIONS: true FEATURE_SECURITY_SCANNER: true FEATURE_STORAGE_REPLICATION: false FEATURE_SUPERUSERS_FULL_ACCESS: true FEATURE_UI_V2: true GLOBAL_READONLY_SUPER_USERS: - quay PREFERRED_URL_SCHEME: https REGISTRY_TITLE: Red Hat Quay REGISTRY_TITLE_SHORT: Red Hat Quay REPO_MIRROR_INTERVAL: 30 REPO_MIRROR_TLS_VERIFY: true SECRET_KEY: buknreOv4FDQcR9mAgeuoLwaCVeuRYXqxg0WZsrk3NeVan3oHhK13Vn4r8dB82FNUSAid46P2wfkTcHT SECURITY_SCANNER_INDEXING_INTERVAL: 30 SECURITY_SCANNER_V4_ENDPOINT: http://quay-clair-app.quay-enterprise-13325.svc.cluster.local SECURITY_SCANNER_V4_NAMESPACE_WHITELIST: - admin SECURITY_SCANNER_V4_PSK: ek5HaEZ4SVMzb0dIeUNCNEpGYmo4bVRCc2lYNmNLLTA= SERVER_HOSTNAME: quay-quay-quay-enterprise-13325.apps.quaytest-13325.qe.devcluster.openshift.com SETUP_COMPLETE: true SUPER_USERS: - admin TAG_EXPIRATION_OPTIONS: - 2w TEAM_RESYNC_STALE_TIME: 60m TESTING: false USER_EVENTS_REDIS: host: quay-quay-redis port: 6379
