Description
Description of problem:
When set FEATURE_SUPERUSERS_FULL_ACCESS=true, use super user's token to call API "POST /api/v1/repository/{repository}/build/" and "GET /api/v1/repository/{repository}/build/{build_uuid}/logs", got 403 error.
Version-Release number of selected component (if applicable):
Quay 3.8.0 quay-operator-bundle-container-v3.8.0-122 registry.redhat.io/quay/quay-operator-rhel8@sha256:c737de4685d63f5600919c3c435fc3db9c9f25ae9e506650a3185a84696e9a8f registry.redhat.io/quay/quay-rhel8@sha256:a97945f7a39973f6e217ea4ecbe2fc77c81632df8104e88dc190be81d2aad3a6
Actual results:
With super user's token, these two APIs got 403 error.
$ curl -k -X POST -H 'Content-Type: application/json' -H "Authorization: Bearer LG1Vnn7MEQOQ1zd4Sgpphtf8cPyIeTSSKWETvb9J" --data '{"file_id": "8ba32171-eb1e-427f-99bb-d9c28dd0882c"}' https://quayregistry-quay-quay-enterprise.apps.whu410az47.qe.azure.devcluster.openshift.com/api/v1/repository/common_user_build_test/upload_dockerfile/build/ |jq . % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 328 100 277 100 51 240 44 0:00:01 0:00:01 --:--:-- 284 { "detail": "Unauthorized", "error_message": "Unauthorized", "error_type": "insufficient_scope", "title": "insufficient_scope", "type": "https://quayregistry-quay-quay-enterprise.apps.whu410az47.qe.azure.devcluster.openshift.com/api/v1/error/insufficient_scope", "status": 403 }
$ curl -k -X GET -H "Authorization: Bearer LG1Vnn7MEQOQ1zd4Sgpphtf8cPyIeTSSKWETvb9J" https://quayregistry-quay-quay-enterprise.apps.whu410az47.qe.azure.devcluster.openshift.com/api/v1/repository/common_user_build_test/bitbucket/build/ef2a3278-7251-4747-a704-502a255041b9/logs % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 277 100 277 0 0 275 0 0:00:01 0:00:01 --:--:-- 275 { "detail": "Unauthorized", "error_message": "Unauthorized", "error_type": "insufficient_scope", "title": "insufficient_scope", "type": "https://quayregistry-quay-quay-enterprise.apps.whu410az47.qe.azure.devcluster.openshift.com/api/v1/error/insufficient_scope", "status": 403 }
Expected results:
These two APIs should work with super user's token
Additional info:
With common user's token, these two APIs work well.
$ curl -k -X POST -H 'Content-Type: application/json' -H "Authorization: Bearer uTyfyJiALYa9Kg4Ko9ShV6Z6g5lwQYrcYMAojloN" --data '{"file_id": "8ba32171-eb1e-427f-99bb-d9c28dd0882c"}' https://quayregistry-quay-quay-enterprise.apps.whu410az47.qe.azure.devcluster.openshift.com/api/v1/repository/common_user_build_test/upload_dockerfile/build/ |jq . % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 811 100 760 100 51 597 40 0:00:01 0:00:01 --:--:-- 637 { "id": "1d362e13-6d7a-4736-8abd-d2bbe0713468", "phase": "waiting", "started": "Thu, 01 Dec 2022 06:31:15 -0000", "display_name": "\"0x8DAD35E4FB746DF\"", "status": {}, "subdirectory": "/Dockerfile", "dockerfile_path": "/Dockerfile", "context": "/", "tags": [ "latest" ], "manual_user": "user1", "is_writer": true, "trigger": null, "trigger_metadata": {}, "resource_key": "8ba32171-eb1e-427f-99bb-d9c28dd0882c", "pull_robot": null, "repository": { "namespace": "common_user_build_test", "name": "upload_dockerfile" }, "error": null, "archive_url": "https://whusc1.blob.core.windows.net/whusc1container/quaydata/userfiles/8ba32171-eb1e-427f-99bb-d9c28dd0882c?se=2022-12-01T06%3A36%3A15Z&sp=r&sv=2019-12-12&sr=b&sig=Q4Aotpd29HLiTsr/0Ob/Gqy6h3UExeOfmQkb%2BGdNlms%3D" }
$ curl -k -X GET -H "Authorization: Bearer uTyfyJiALYa9Kg4Ko9ShV6Z6g5lwQYrcYMAojloN" https://quayregistry-quay-quay-enterprise.apps.whu410az47.qe.azure.devcluster.openshift.com/api/v1/repository/common_user_build_test/bitbucket/build/ef2a3278-7251-4747-a704-502a255041b9/logs|jq . % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 85077 100 85077 0 0 58714 0 0:00:01 0:00:01 --:--:-- 58673 { "start": 0, "total": 317, "logs": [ { "message": "build-scheduled", "type": "phase", "data": { "datetime": "2022-12-01 06:21:25.440201" } }, { "message": "unpacking", "type": "phase", "data": { "datetime": "2022-12-01 06:21:30.916003" } }, ........ { "message": "complete", "type": "phase", "data": { "datetime": "2022-12-01 06:22:20.577395" } } ] }