-
Epic
-
Resolution: Done-Errata
-
Critical
-
None
-
None
-
quay-superuser-token-owernship
-
False
-
None
-
False
-
Not Selected
-
To Do
-
RFE-4330Superusers can change API token ownership
-
0% To Do, 0% In Progress, 100% Done
Epic Goal
- Allow org owners to take control of API tokens created by other users
Why is this important?
- Organization owners can create OAuth tokens and the tokens are assigned to the token creator. When the token is created for and used by some organization member, the action is logged to the token creator. In restricted environments, where only dedicated registry administrators are organization owners, this is undesirable due to inaccurate auditing. For accuracy, token ownership should be mutable and can be reassigned by a superuser
Scenarios
- An API token created by an organization owner can be changed by the superuser
- Audit logs properly reflect which member of an organization used the token, after token reassignment
Acceptance Criteria
- Org owners can create a token on behalf of another user inside the organization
- Tokens created on behalf of another user are only assigned at the point in time of creation, they still need to be fully resolved by stepping through the OAuth flow by the assigned user
- Superusers can also leverage this flow if they own the organization, there is no extra flow for the superuser for now
- Existing token's ownership cannot be changed
Done Checklist
- CI - CI is running, tests are automated and merged.
- Release Enablement <link to Feature Enablement Presentation>
- DEV - Upstream code and tests merged: <link to meaningful PR or GitHub Issue>
- DEV - Upstream documentation merged: <link to meaningful PR or GitHub Issue>
- DEV - Downstream build attached to advisory: <link to errata>
- QE - Test plans in Polarion: <link or reference to Polarion>
- QE - Automated tests merged: <link or reference to automated tests>
- DOC - Downstream documentation merged: <link to meaningful PR>
- links to
-
RHBA-2024:4525 Red Hat Quay v3.12.0 bug fix release
There are no Sub-Tasks for this issue.