Uploaded image for project: 'Project Quay'
  1. Project Quay
  2. PROJQUAY-4768

Quay 3.8.0 LDAP user is still restricted user when the user is not in the filter results of LDAP_RESTRICTED_USER_FILTER

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Blocker Blocker
    • None
    • quay-v3.8.0
    • quay
    • False
    • None
    • False
    • Approved

      Description:

      This is an issue of Quay 3.8.0 new feature "Restricted Users", when enabled flag "FEATURE_RESTRICTED_USERS", and add LDAP filter "LDAP_RESTRICTED_USER_FILTER", found for the LDAP users that are not in the restricted filter, they are also restricted users, pls review this issue.

      Quay Image:  quay-operator-bundle-container-v3.8.0-119

      LDAP_RESTRICTED_USER_FILTER: (&(employeeType=vendor)(postalCode=98666))
LDAP_SUPERUSER_FILTER: (&(employeeType=managers)(postalCode=96520))
FEATURE_RESTRICTED_USERS: true
      LDPA user "testuser" is not on the filter list of "LDAP_RESTRICTED_USER_FILTER":

      Quay Config.yaml:

      ALLOW_PULLS_WITHOUT_STRICT_LOGGING: false
AUTHENTICATION_TYPE: LDAP
AVATAR_KIND: local
BROWSER_API_CALLS_XHR_ONLY: false
BUILDLOGS_REDIS:
  host: quayregistry-quay-redis
  port: 6379
CREATE_NAMESPACE_ON_PUSH: true
CREATE_PRIVATE_REPO_ON_PUSH: true
CREATE_REPOSITORY_ON_PUSH_PUBLIC: true
DATABASE_SECRET_KEY: c7MOT1sgmOmyjQMtL3zDACCj4Ha9RWGJ6yLDcLFe1PXqHjBCrWCCP4FH9oRybfr4tVPsbUYKvx4MnOsa
DB_CONNECTION_ARGS:
  autorollback: true
  threadlocals: true
DB_URI: postgresql://quayregistry-quay-database:tgihsZh3cT81xbtckE288nj7azbprVprQ0-vlryoY5bnOXE5NyaNqHGhRM6Am4f0MXnEQWCOT1MuH6zr@quayregistry-quay-database:5432/quayregistry-quay-database
DEFAULT_TAG_EXPIRATION: 2w
DISTRIBUTED_STORAGE_CONFIG:
  local_us:
  - RHOCSStorage
  - access_key: bvoaMc2qhLQPrNZy8MqG
    bucket_name: quay-datastore-963dcadd-052e-479f-a196-b3d526eb51e2
    hostname: s3.openshift-storage.svc.cluster.local
    is_secure: true
    port: 443
    secret_key: 6np5ARbc6NLUpB5zhgSVj5iUZUDlZLxtxmzBNaAC
    storage_path: /datastorage/registry
DISTRIBUTED_STORAGE_DEFAULT_LOCATIONS:
- local_us
DISTRIBUTED_STORAGE_PREFERENCE:
- local_us
ENTERPRISE_LOGO_URL: /static/img/RH_Logo_Quay_Black_UX-horizontal.svg
EXTERNAL_TLS_TERMINATION: true
FEATURE_ACTION_LOG_ROTATION: false
FEATURE_ANONYMOUS_ACCESS: true
FEATURE_APP_SPECIFIC_TOKENS: true
FEATURE_BITBUCKET_BUILD: false
FEATURE_BLACKLISTED_EMAILS: false
FEATURE_BUILD_SUPPORT: false
FEATURE_CHANGE_TAG_EXPIRATION: true
FEATURE_DIRECT_LOGIN: true
FEATURE_EXTENDED_REPOSITORY_NAMES: true
FEATURE_FIPS: false
FEATURE_GENERAL_OCI_SUPPORT: true
FEATURE_GITHUB_BUILD: false
FEATURE_GITHUB_LOGIN: false
FEATURE_GITLAB_BUILD: false
FEATURE_GOOGLE_LOGIN: false
FEATURE_HELM_OCI_SUPPORT: true
FEATURE_INVITE_ONLY_USER_CREATION: false
FEATURE_MAILING: false
FEATURE_NONSUPERUSER_TEAM_SYNCING_SETUP: false
FEATURE_PARTIAL_USER_AUTOCOMPLETE: true
FEATURE_PROXY_CACHE: true
FEATURE_PROXY_STORAGE: true
FEATURE_QUOTA_MANAGEMENT: true
FEATURE_REPO_MIRROR: true
FEATURE_RESTRICTED_USERS: true
FEATURE_SECURITY_NOTIFICATIONS: true
FEATURE_SECURITY_SCANNER: true
FEATURE_STORAGE_REPLICATION: false
FEATURE_SUPERUSERS_FULL_ACCESS: true
FEATURE_TEAM_SYNCING: false
FEATURE_UI_V2: true
FEATURE_USER_CREATION: true
FEATURE_USER_INITIALIZE: true
FEATURE_USER_LAST_ACCESSED: true
FEATURE_USER_LOG_ACCESS: false
FEATURE_USER_METADATA: false
FEATURE_USER_RENAME: false
FEATURE_USERNAME_CONFIRMATION: true
FRESH_LOGIN_TIMEOUT: 10m
GITHUB_LOGIN_CONFIG: {}
GITHUB_TRIGGER_CONFIG: {}
GITLAB_TRIGGER_KIND: {}
LDAP_ADMIN_DN: cn=admin,dc=example,dc=org
LDAP_ADMIN_PASSWD: admin
LDAP_ALLOW_INSECURE_FALLBACK: false
LDAP_BASE_DN:
- dc=example
- dc=org
LDAP_EMAIL_ATTR: mail
LDAP_RESTRICTED_USER_FILTER: (&(employeeType=vendor)(postalCode=98666))
LDAP_SUPERUSER_FILTER: (&(employeeType=managers)(postalCode=96520))
LDAP_UID_ATTR: uid
LDAP_URI: ldap://quayldap.qe.devcluster.openshift.com
LDAP_USER_RDN:
- ou=usateam
LOGS_MODEL: database
LOGS_MODEL_CONFIG: {}
MAIL_DEFAULT_SENDER: support@quay.io
MAIL_PORT: 587
MAIL_USE_AUTH: false
MAIL_USE_TLS: false
PREFERRED_URL_SCHEME: https
REGISTRY_TITLE: Red Hat Quay
REGISTRY_TITLE_SHORT: Red Hat Quay
REPO_MIRROR_INTERVAL: 30
REPO_MIRROR_TLS_VERIFY: true
SEARCH_MAX_RESULT_PAGE_COUNT: 10
SEARCH_RESULTS_PER_PAGE: 10
SECRET_KEY: mKCSa7KVqRrroJYkttV80DxeKj9c100S0Ak4GVgFQ9BNu98FBamqoq3RfO0xBpPHtD36SiShNpSOGyxE
SECURITY_SCANNER_INDEXING_INTERVAL: 30
SECURITY_SCANNER_V4_ENDPOINT: http://quayregistry-clair-app.quay-enterprise-13399.svc.cluster.local
SECURITY_SCANNER_V4_NAMESPACE_WHITELIST:
- admin
SECURITY_SCANNER_V4_PSK: RFBKRkk3emVrVE1zTVJLVG40YXRWSXMwbW1xWS14VFQ=
SERVER_HOSTNAME: quayregistry-quay-quay-enterprise-13399.apps.quaytest-13399.qe.devcluster.openshift.com
SETUP_COMPLETE: true
SUPER_USERS:
- quay
- admin
TAG_EXPIRATION_OPTIONS:
- 2w
TEAM_RESYNC_STALE_TIME: 60m
TESTING: false
USER_EVENTS_REDIS:
  host: quayregistry-quay-redis
  port: 6379
USER_RECOVERY_TOKEN_LIFETIME: 30m

        1. image-2022-11-23-16-57-33-349.png
          image-2022-11-23-16-57-33-349.png
          247 kB
        2. image-2022-11-23-16-58-20-675.png
          image-2022-11-23-16-58-20-675.png
          417 kB
        3. image-2022-11-25-12-08-22-281.png
          image-2022-11-25-12-08-22-281.png
          240 kB
        4. image-2022-11-25-12-09-24-291.png
          image-2022-11-25-12-09-24-291.png
          431 kB

              sleesinc Kenny Lee Sin Cheong
              lzha1981 luffy zhang
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: