Uploaded image for project: 'Project Quay'
  1. Project Quay
  2. PROJQUAY-6976

Org owner can change ownership of API tokens

XMLWordPrintable

    • Icon: Epic Epic
    • Resolution: Done-Errata
    • Icon: Critical Critical
    • None
    • None
    • quay
    • quay-superuser-token-owernship
    • False
    • None
    • False
    • Not Selected
    • To Do
    • RFE-4330Superusers can change API token ownership
    • 0% To Do, 0% In Progress, 100% Done

      Epic Goal

      • Allow org owners to take control of API tokens created by other users

      Why is this important?

      • Organization owners can create OAuth tokens and the tokens are assigned to the token creator. When the token is created for and used by some organization member, the action is logged to the token creator. In restricted environments, where only dedicated registry administrators are organization owners, this is undesirable due to inaccurate auditing. For accuracy, token ownership should be mutable and can be reassigned by a superuser

      Scenarios

      1. An API token created by an organization owner can be changed by the superuser
      2. Audit logs properly reflect which member of an organization used the token, after token reassignment

      Acceptance Criteria

      • Org owners can create a token on behalf of another user inside the organization
      • Tokens created on behalf of another user are only assigned at the point in time of creation, they still need to be fully resolved by stepping through the OAuth flow by the assigned user
      • Superusers can also leverage this flow if they own the organization, there is no extra flow for the superuser for now
      • Existing token's ownership cannot be changed

      Done Checklist

      • CI - CI is running, tests are automated and merged.
      • Release Enablement <link to Feature Enablement Presentation>
      • DEV - Upstream code and tests merged: <link to meaningful PR or GitHub Issue>
      • DEV - Upstream documentation merged: <link to meaningful PR or GitHub Issue>
      • DEV - Downstream build attached to advisory: <link to errata>
      • QE - Test plans in Polarion: <link or reference to Polarion>
      • QE - Automated tests merged: <link or reference to automated tests>
      • DOC - Downstream documentation merged: <link to meaningful PR>

              bcaton@redhat.com Brandon Caton
              doconnor@redhat.com Dave O'Connor
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: