Loading...

Type: Bug
Resolution: Done
Priority: Blocker
Fix Version/s: quay-v3.8.0, quay-v3.9.0
Affects Version/s: quay-v3.8.0
Component/s: quay
Labels:
- TestBlocker

Blocked:
False
Blocked Reason:
None
Ready:
False
Intelligence Requested:
Market:

Release Blocker:
Approved
Target Version:

quay-v3.8.0, quay-v3.9.0

SFDC Cases Links:
SFDC Cases Counter:
SFDC Cases Open:

Description:

This is an issue of Quay 3.8.0 new feature "restricted users", after enabled the flag "RESTRICTED_USERS_WHITELIST", and add specific LDAP user on the restricted user white list, found the user on the white list is still restricted users, that means flag "RESTRICTED_USERS_WHITELIST" doesn't work when using "LDAP_RESTRICTED_USER_FILTER", pls review this issue.

RESTRICTED_USERS_WHITELIST:
- larry
LDAP_RESTRICTED_USER_FILTER: (&(employeeType=vendor)(postalCode=98666))
LDAP_SUPERUSER_FILTER: (&(employeeType=managers)(postalCode=96520))
FEATURE_RESTRICTED_USERS: true

Customer Scenario confirmed by Quay PM:

if the auth is LDAP and you enable the feature flag and also the restricted LDAP filter, it will apply to all users caught by the filter, unless they are on the whitelist

Quay Image: quay-operator-bundle-container-v3.8.0-119

Quay LDAP user "larry" is on the filter results of LDAP_RESTRICTED_USER_FILTER, but is also on the restricted white list, here is still restricted users.

Quay config.yaml:

ALLOW_PULLS_WITHOUT_STRICT_LOGGING: false
AUTHENTICATION_TYPE: LDAP
AVATAR_KIND: local
BROWSER_API_CALLS_XHR_ONLY: false
BUILDLOGS_REDIS:
  host: quayregistry-quay-redis
  port: 6379
CREATE_NAMESPACE_ON_PUSH: true
CREATE_PRIVATE_REPO_ON_PUSH: true
CREATE_REPOSITORY_ON_PUSH_PUBLIC: true
DATABASE_SECRET_KEY: c7MOT1sgmOmyjQMtL3zDACCj4Ha9RWGJ6yLDcLFe1PXqHjBCrWCCP4FH9oRybfr4tVPsbUYKvx4MnOsa
DB_CONNECTION_ARGS:
  autorollback: true
  threadlocals: true
DB_URI: postgresql://quayregistry-quay-database:tgihsZh3cT81xbtckE288nj7azbprVprQ0-vlryoY5bnOXE5NyaNqHGhRM6Am4f0MXnEQWCOT1MuH6zr@quayregistry-quay-database:5432/quayregistry-quay-database
DEFAULT_TAG_EXPIRATION: 2w
DISTRIBUTED_STORAGE_CONFIG:
  local_us:
  - RHOCSStorage
  - access_key: bvoaMc2qhLQPrNZy8MqG
    bucket_name: quay-datastore-963dcadd-052e-479f-a196-b3d526eb51e2
    hostname: s3.openshift-storage.svc.cluster.local
    is_secure: true
    port: 443
    secret_key: 6np5ARbc6NLUpB5zhgSVj5iUZUDlZLxtxmzBNaAC
    storage_path: /datastorage/registry
DISTRIBUTED_STORAGE_DEFAULT_LOCATIONS:
- local_us
DISTRIBUTED_STORAGE_PREFERENCE:
- local_us
ENTERPRISE_LOGO_URL: /static/img/RH_Logo_Quay_Black_UX-horizontal.svg
EXTERNAL_TLS_TERMINATION: true
FEATURE_ACTION_LOG_ROTATION: false
FEATURE_ANONYMOUS_ACCESS: true
FEATURE_APP_SPECIFIC_TOKENS: true
FEATURE_BITBUCKET_BUILD: false
FEATURE_BLACKLISTED_EMAILS: false
FEATURE_BUILD_SUPPORT: false
FEATURE_CHANGE_TAG_EXPIRATION: true
FEATURE_DIRECT_LOGIN: true
FEATURE_EXTENDED_REPOSITORY_NAMES: true
FEATURE_FIPS: false
FEATURE_GENERAL_OCI_SUPPORT: true
FEATURE_GITHUB_BUILD: false
FEATURE_GITHUB_LOGIN: false
FEATURE_GITLAB_BUILD: false
FEATURE_GOOGLE_LOGIN: false
FEATURE_HELM_OCI_SUPPORT: true
FEATURE_INVITE_ONLY_USER_CREATION: false
FEATURE_MAILING: false
FEATURE_NONSUPERUSER_TEAM_SYNCING_SETUP: false
FEATURE_PARTIAL_USER_AUTOCOMPLETE: true
FEATURE_PROXY_CACHE: true
FEATURE_PROXY_STORAGE: true
FEATURE_QUOTA_MANAGEMENT: true
FEATURE_REPO_MIRROR: true
FEATURE_RESTRICTED_USERS: true
FEATURE_SECURITY_NOTIFICATIONS: true
FEATURE_SECURITY_SCANNER: true
FEATURE_STORAGE_REPLICATION: false
FEATURE_SUPERUSERS_FULL_ACCESS: true
FEATURE_TEAM_SYNCING: false
FEATURE_UI_V2: true
FEATURE_USER_CREATION: true
FEATURE_USER_INITIALIZE: true
FEATURE_USER_LAST_ACCESSED: true
FEATURE_USER_LOG_ACCESS: false
FEATURE_USER_METADATA: false
FEATURE_USER_RENAME: false
FEATURE_USERNAME_CONFIRMATION: true
FRESH_LOGIN_TIMEOUT: 10m
GITHUB_LOGIN_CONFIG: {}
GITHUB_TRIGGER_CONFIG: {}
GITLAB_TRIGGER_KIND: {}
LDAP_ADMIN_DN: cn=admin,dc=example,dc=org
LDAP_ADMIN_PASSWD: admin
LDAP_ALLOW_INSECURE_FALLBACK: false
LDAP_BASE_DN:
- dc=example
- dc=org
LDAP_EMAIL_ATTR: mail
LDAP_RESTRICTED_USER_FILTER: (&(employeeType=vendor)(postalCode=98666))
LDAP_SUPERUSER_FILTER: (&(employeeType=managers)(postalCode=96520))
LDAP_UID_ATTR: uid
LDAP_URI: ldap://quayldap.qe.devcluster.openshift.com
LDAP_USER_RDN:
- ou=usateam
LOGS_MODEL: database
LOGS_MODEL_CONFIG: {}
MAIL_DEFAULT_SENDER: support@quay.io
MAIL_PORT: 587
MAIL_USE_AUTH: false
MAIL_USE_TLS: false
PREFERRED_URL_SCHEME: https
REGISTRY_TITLE: Red Hat Quay
REGISTRY_TITLE_SHORT: Red Hat Quay
REPO_MIRROR_INTERVAL: 30
REPO_MIRROR_TLS_VERIFY: true
RESTRICTED_USERS_WHITELIST:
- larry
SEARCH_MAX_RESULT_PAGE_COUNT: 10
SEARCH_RESULTS_PER_PAGE: 10
SECRET_KEY: mKCSa7KVqRrroJYkttV80DxeKj9c100S0Ak4GVgFQ9BNu98FBamqoq3RfO0xBpPHtD36SiShNpSOGyxE
SECURITY_SCANNER_INDEXING_INTERVAL: 30
SECURITY_SCANNER_V4_ENDPOINT: http://quayregistry-clair-app.quay-enterprise-13399.svc.cluster.local
SECURITY_SCANNER_V4_NAMESPACE_WHITELIST:
- admin
SECURITY_SCANNER_V4_PSK: RFBKRkk3emVrVE1zTVJLVG40YXRWSXMwbW1xWS14VFQ=
SERVER_HOSTNAME: quayregistry-quay-quay-enterprise-13399.apps.quaytest-13399.qe.devcluster.openshift.com
SETUP_COMPLETE: true
SUPER_USERS:
- quay
- admin
TAG_EXPIRATION_OPTIONS:
- 2w
TEAM_RESYNC_STALE_TIME: 60m
TESTING: false
USER_EVENTS_REDIS:
  host: quayregistry-quay-redis
  port: 6379
USER_RECOVERY_TOKEN_LIFETIME: 30m