Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Blocker
Fix Version/s: quay-v3.8.0, quay-v3.9.0
Affects Version/s: quay-v3.8.0
Component/s: quay
Labels:
- TestBlocker
- triaged

Blocked:
False
Blocked Reason:
None
Ready:
False
Intelligence Requested:
Market:

Release Blocker:
Approved
Target Version:

quay-v3.8.0, quay-v3.9.0

SFDC Cases Links:
SFDC Cases Counter:
SFDC Cases Open:

Description:

This is an issue of Quay 3.8.0 new feature "restricted users", when enabled Quay to LDAP authentication and enabled flag "FEATURE_RESTRICTED_USERS: true", found all LDAP users are not restricted, as expected in this condition, all LDAP users should be restricted.

FEATURE_RESTRICTED_USERS: true

Deliverable: "if the auth is LDAP and you enable the feature flag, it will apply to all users unless they are on the whitelist"

Quay Image: quay-operator-bundle-container-v3.8.0-121

LDAP users is not restricted when enabled "FEATURE_RESTRICTED_USERS"

Quay config.yaml:

ALLOW_PULLS_WITHOUT_STRICT_LOGGING: false
ALLOWED_OCI_ARTIFACT_TYPES:
  application/vnd.cncf.helm.config.v1+json:
  - application/tar+gzip
  application/vnd.oci.image.layer.v1.tar+gzip+encrypted:
  - application/vnd.oci.image.layer.v1.tar+gzip+encrypted
AUTHENTICATION_TYPE: LDAP
BUILDLOGS_REDIS:
  host: quay380-quay-redis
  port: 6379
CREATE_NAMESPACE_ON_PUSH: true
CREATE_PRIVATE_REPO_ON_PUSH: true
DATABASE_SECRET_KEY: QXXcAUmEpEURS10x3Oa7Yb7vIVKZGQSHuqaXX91CoMGsIWtmrQ97fPW-Ro3HNNSinCjuBfMYq1r67NVz
DB_CONNECTION_ARGS:
  autorollback: true
  threadlocals: true
DB_URI: postgresql://quay380-quay-database:tfbOSwKfnYkW4EAWVMwHAEVYSaxf1CMgS9sIJF0zYaDHGPidj4FBHfidyajy-CrH1PqFczQeDF5bkl18@quay380-quay-database:5432/quay380-quay-database
DEFAULT_SYSTEM_REJECT_QUOTA_BYTES: 902400000
DEFAULT_TAG_EXPIRATION: 4w
DISTRIBUTED_STORAGE_CONFIG:
  default:
  - S3Storage
  - host: s3.us-east-2.amazonaws.com
    s3_access_key: ******
    s3_bucket: quay380
    s3_secret_key: ******
    storage_path: /quay380
DISTRIBUTED_STORAGE_DEFAULT_LOCATIONS:
- default
DISTRIBUTED_STORAGE_PREFERENCE:
- default
ENTERPRISE_LOGO_URL: /static/img/RH_Logo_Quay_Black_UX-horizontal.svg
EXTERNAL_TLS_TERMINATION: true
FEATURE_BUILD_SUPPORT: false
FEATURE_DIRECT_LOGIN: true
FEATURE_EXTENDED_REPOSITORY_NAMES: true
FEATURE_GENERAL_OCI_SUPPORT: true
FEATURE_HELM_OCI_SUPPORT: true
FEATURE_MAILING: false
FEATURE_PROXY_CACHE: true
FEATURE_QUOTA_MANAGEMENT: true
FEATURE_REPO_MIRROR: true
FEATURE_RESTRICTED_USERS: true
FEATURE_SECURITY_NOTIFICATIONS: true
FEATURE_SECURITY_SCANNER: true
FEATURE_USER_INITIALIZE: true
LDAP_ADMIN_DN: cn=admin,dc=example,dc=org
LDAP_ADMIN_PASSWD: admin
LDAP_ALLOW_INSECURE_FALLBACK: false
LDAP_BASE_DN:
- dc=example
- dc=org
LDAP_EMAIL_ATTR: mail
LDAP_UID_ATTR: uid
LDAP_URI: ldap://quayldap.qe.devcluster.openshift.com
LDAP_USER_RDN:
- ou=usateam
PREFERRED_URL_SCHEME: https
REGISTRY_TITLE: Red Hat Quay
REGISTRY_TITLE_SHORT: Red Hat Quay
REPO_MIRROR_INTERVAL: 30
REPO_MIRROR_TLS_VERIFY: true
SECRET_KEY: k02wE02lITPRBBrcBOPihJkgkY-uDtlnrPVlr6QSgduuIyvuj0ytrA53lQe963S1n4pCzIn-OkAhXaNz
SECURITY_SCANNER_INDEXING_INTERVAL: 30
SECURITY_SCANNER_V4_ENDPOINT: http://quay380-clair-app.quay-enterprise-13401.svc.cluster.local
SECURITY_SCANNER_V4_NAMESPACE_WHITELIST:
- admin
SECURITY_SCANNER_V4_PSK: V3VKTG9KS1lINFEycENqR3dGVzhoOGpPMWp0Mi1XQ2g=
SERVER_HOSTNAME: quay380-quay-quay-enterprise-13401.apps.quaytest-13401.qe.devcluster.openshift.com
SETUP_COMPLETE: true
SUPER_USERS:
- quay
TAG_EXPIRATION_OPTIONS:
- 2w
- 4w
- 8w
TEAM_RESYNC_STALE_TIME: 60m
TESTING: false
USER_EVENTS_REDIS:
  host: quay380-quay-redis
  port: 6379
USERFILES_LOCATION: default
USERFILES_PATH: userfiles/