Loading...

XML

Word

Printable

Type: Epic
Resolution: Done
Priority: Normal
Fix Version/s: quay-v3.10.0
Affects Version/s: quay-v3.10.0, quay-v3.11.0
Component/s: quay
Labels:

Epic Name:
Ability to disable robot accounts
Blocked:
False
Blocked Reason:
None
Ready:
False
Affects:

Documentation (Ref Guide, User Guide, etc.), Compatibility/Configuration, User Experience
Color Status:
Green
Epic Status:
To Do
Product:
Quay Enterprise
Hierarchy Progress:
80
Hierarchy Progress Bar:

80% 80%
Target Version:

quay-v3.10.0

RICE Score:
0

SFDC Cases Links:
SFDC Cases Counter:

PX Priority Data:
PX Impact Score:

Intelligence Requested:
Market:

With the requirements on identity mapping to centralized objects and respectively managed policies (expiration, passwords,...), we are looking for a possible implementation to disallow Robot accounts in Quay to be created or used (login, pull, push, ...)

NOTE: disabling Robots disables Repository mirroring as well !! (needs a Doc note)

globally turn off Robot accounts

Currently the `globally turn off Robot accounts` is the only applicable solution without major code changes to achieve the functionality expected.

Concept, globally turn off Robot accounts:

by adding a flag to the config bundle we reject Robots from login,pull,push and being created even by super user accounts.

ROBOTS_DISALLOW: true 
ROBOTS_WHITELIST: []

all actions are than rejected following the default behavior

$ podman login -u milang+test2 -p W7BTO...QA quay.example.com
Error: logging into "quay.example.com": invalid username/password

and reported in the logs

gunicorn-registry stdout | 2023-08-24 19:08:01,907 [253] [WARNING] [auth.credentials] Failed to validate credentials for robot milang+test2: Robot account has been disabled. Please contact your administrator.

to ensure mirroring of repositories will not stop working when enabling that Feature, whitelisting of robots can be done

ROBOTS_DISALLOW: true
ROBOTS_WHITELIST: 
  - milang+test3
  - milang+test4
  - milang+test6

$ podman login -u milang+test3 -p TLO...QE4 quay.example.com
Login Succeeded!
gunicorn-registry stdout | 2023-08-29 07:53:10,450 [236] [DEBUG] [data.model.user] checking milang+test3 in ['milang+test3', 'milang+test4', 'milang+test6']
$ podman login -u milang+test2 -p W7B...HQA quay.example.com
Error: logging into "quay.example.com": invalid username/password
gunicorn-registry stdout | 2023-08-29 07:53:40,538 [254] [DEBUG] [data.model.user] checking milang+test2 in ['milang+test3',  'milang+test4', 'milang+test6']
gunicorn-registry stdout | 2023-08-29 07:53:40,538 [254] [WARNING] [auth.credentials] Failed to validate credentials for robot milang+test2: Robot account has been disabled. Please contact your administrator.