Uploaded image for project: 'Project Quay'
  1. Project Quay
  2. PROJQUAY-4768

Quay 3.8.0 LDAP user is still restricted user when the user is not in the filter results of LDAP_RESTRICTED_USER_FILTER

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Blocker Blocker
    • None
    • quay-v3.8.0
    • quay
    • False
    • None
    • False
    • Approved

      Description:

      This is an issue of Quay 3.8.0 new feature "Restricted Users", when enabled flag "FEATURE_RESTRICTED_USERS", and add LDAP filter "LDAP_RESTRICTED_USER_FILTER", found for the LDAP users that are not in the restricted filter, they are also restricted users, pls review this issue.

      Quay Image:  quay-operator-bundle-container-v3.8.0-119

      LDAP_RESTRICTED_USER_FILTER: (&(employeeType=vendor)(postalCode=98666))
      LDAP_SUPERUSER_FILTER: (&(employeeType=managers)(postalCode=96520))
      FEATURE_RESTRICTED_USERS: true 
      LDPA user "testuser" is not on the filter list of "LDAP_RESTRICTED_USER_FILTER":

      Quay Config.yaml:

      ALLOW_PULLS_WITHOUT_STRICT_LOGGING: false
      AUTHENTICATION_TYPE: LDAP
      AVATAR_KIND: local
      BROWSER_API_CALLS_XHR_ONLY: false
      BUILDLOGS_REDIS:
        host: quayregistry-quay-redis
        port: 6379
      CREATE_NAMESPACE_ON_PUSH: true
      CREATE_PRIVATE_REPO_ON_PUSH: true
      CREATE_REPOSITORY_ON_PUSH_PUBLIC: true
      DATABASE_SECRET_KEY: c7MOT1sgmOmyjQMtL3zDACCj4Ha9RWGJ6yLDcLFe1PXqHjBCrWCCP4FH9oRybfr4tVPsbUYKvx4MnOsa
      DB_CONNECTION_ARGS:
        autorollback: true
        threadlocals: true
      DB_URI: postgresql://quayregistry-quay-database:tgihsZh3cT81xbtckE288nj7azbprVprQ0-vlryoY5bnOXE5NyaNqHGhRM6Am4f0MXnEQWCOT1MuH6zr@quayregistry-quay-database:5432/quayregistry-quay-database
      DEFAULT_TAG_EXPIRATION: 2w
      DISTRIBUTED_STORAGE_CONFIG:
        local_us:
        - RHOCSStorage
        - access_key: bvoaMc2qhLQPrNZy8MqG
          bucket_name: quay-datastore-963dcadd-052e-479f-a196-b3d526eb51e2
          hostname: s3.openshift-storage.svc.cluster.local
          is_secure: true
          port: 443
          secret_key: 6np5ARbc6NLUpB5zhgSVj5iUZUDlZLxtxmzBNaAC
          storage_path: /datastorage/registry
      DISTRIBUTED_STORAGE_DEFAULT_LOCATIONS:
      - local_us
      DISTRIBUTED_STORAGE_PREFERENCE:
      - local_us
      ENTERPRISE_LOGO_URL: /static/img/RH_Logo_Quay_Black_UX-horizontal.svg
      EXTERNAL_TLS_TERMINATION: true
      FEATURE_ACTION_LOG_ROTATION: false
      FEATURE_ANONYMOUS_ACCESS: true
      FEATURE_APP_SPECIFIC_TOKENS: true
      FEATURE_BITBUCKET_BUILD: false
      FEATURE_BLACKLISTED_EMAILS: false
      FEATURE_BUILD_SUPPORT: false
      FEATURE_CHANGE_TAG_EXPIRATION: true
      FEATURE_DIRECT_LOGIN: true
      FEATURE_EXTENDED_REPOSITORY_NAMES: true
      FEATURE_FIPS: false
      FEATURE_GENERAL_OCI_SUPPORT: true
      FEATURE_GITHUB_BUILD: false
      FEATURE_GITHUB_LOGIN: false
      FEATURE_GITLAB_BUILD: false
      FEATURE_GOOGLE_LOGIN: false
      FEATURE_HELM_OCI_SUPPORT: true
      FEATURE_INVITE_ONLY_USER_CREATION: false
      FEATURE_MAILING: false
      FEATURE_NONSUPERUSER_TEAM_SYNCING_SETUP: false
      FEATURE_PARTIAL_USER_AUTOCOMPLETE: true
      FEATURE_PROXY_CACHE: true
      FEATURE_PROXY_STORAGE: true
      FEATURE_QUOTA_MANAGEMENT: true
      FEATURE_REPO_MIRROR: true
      FEATURE_RESTRICTED_USERS: true
      FEATURE_SECURITY_NOTIFICATIONS: true
      FEATURE_SECURITY_SCANNER: true
      FEATURE_STORAGE_REPLICATION: false
      FEATURE_SUPERUSERS_FULL_ACCESS: true
      FEATURE_TEAM_SYNCING: false
      FEATURE_UI_V2: true
      FEATURE_USER_CREATION: true
      FEATURE_USER_INITIALIZE: true
      FEATURE_USER_LAST_ACCESSED: true
      FEATURE_USER_LOG_ACCESS: false
      FEATURE_USER_METADATA: false
      FEATURE_USER_RENAME: false
      FEATURE_USERNAME_CONFIRMATION: true
      FRESH_LOGIN_TIMEOUT: 10m
      GITHUB_LOGIN_CONFIG: {}
      GITHUB_TRIGGER_CONFIG: {}
      GITLAB_TRIGGER_KIND: {}
      LDAP_ADMIN_DN: cn=admin,dc=example,dc=org
      LDAP_ADMIN_PASSWD: admin
      LDAP_ALLOW_INSECURE_FALLBACK: false
      LDAP_BASE_DN:
      - dc=example
      - dc=org
      LDAP_EMAIL_ATTR: mail
      LDAP_RESTRICTED_USER_FILTER: (&(employeeType=vendor)(postalCode=98666))
      LDAP_SUPERUSER_FILTER: (&(employeeType=managers)(postalCode=96520))
      LDAP_UID_ATTR: uid
      LDAP_URI: ldap://quayldap.qe.devcluster.openshift.com
      LDAP_USER_RDN:
      - ou=usateam
      LOGS_MODEL: database
      LOGS_MODEL_CONFIG: {}
      MAIL_DEFAULT_SENDER: support@quay.io
      MAIL_PORT: 587
      MAIL_USE_AUTH: false
      MAIL_USE_TLS: false
      PREFERRED_URL_SCHEME: https
      REGISTRY_TITLE: Red Hat Quay
      REGISTRY_TITLE_SHORT: Red Hat Quay
      REPO_MIRROR_INTERVAL: 30
      REPO_MIRROR_TLS_VERIFY: true
      SEARCH_MAX_RESULT_PAGE_COUNT: 10
      SEARCH_RESULTS_PER_PAGE: 10
      SECRET_KEY: mKCSa7KVqRrroJYkttV80DxeKj9c100S0Ak4GVgFQ9BNu98FBamqoq3RfO0xBpPHtD36SiShNpSOGyxE
      SECURITY_SCANNER_INDEXING_INTERVAL: 30
      SECURITY_SCANNER_V4_ENDPOINT: http://quayregistry-clair-app.quay-enterprise-13399.svc.cluster.local
      SECURITY_SCANNER_V4_NAMESPACE_WHITELIST:
      - admin
      SECURITY_SCANNER_V4_PSK: RFBKRkk3emVrVE1zTVJLVG40YXRWSXMwbW1xWS14VFQ=
      SERVER_HOSTNAME: quayregistry-quay-quay-enterprise-13399.apps.quaytest-13399.qe.devcluster.openshift.com
      SETUP_COMPLETE: true
      SUPER_USERS:
      - quay
      - admin
      TAG_EXPIRATION_OPTIONS:
      - 2w
      TEAM_RESYNC_STALE_TIME: 60m
      TESTING: false
      USER_EVENTS_REDIS:
        host: quayregistry-quay-redis
        port: 6379
      USER_RECOVERY_TOKEN_LIFETIME: 30m 

              sleesinc Kenny Lee Sin Cheong
              lzha1981 luffy zhang
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: