-
Bug
-
Resolution: Done
-
Major
-
quay-v3.11.0
-
False
-
None
-
False
-
PROJQUAY-6961 - Implement GLOBAL_READONLY_SUPER_USERS feature for LDAP users
-
-
Description of problem:
When enable FEATURE_SUPERUSERS_FULL_ACCESS, listOrgLogs api with super user token doesn't work against organization created by normal user.
Version-Release number of selected component (if applicable):
quay-operator-bundle-container-v3.11.1-18) ------------------------------ registry.redhat.io/quay/quay-operator-rhel8@sha256:a3a2171448b30385700e6f64633016abfb5dc331849a91cdc354405a32eb444c ------------------------------ registry.redhat.io/quay/quay-rhel8@sha256:bca647c67c7ece7fb427498db44af850ca05b4cba2f55b78d90fb9d7059883e7
How reproducible:
1. enable FEATURE_SUPERUSERS_FULL_ACCESS in quay config.yaml
FEATURE_SUPERUSERS_FULL_ACCESS: true
SUPER_USERS:
- whuquay
2. Create a normal user "user1" and a super user "whuquay".
3. log in quay by normal user "user1" and create a repository "user1_org/user1_repo"
4. push a image to repository "user1_org/user1_repo"
5. call listOrgLogs API with super user token against organization "user1_org".
Actual results:
Super user can't get logs of organization created by normal user by calling api "GET /api/v1/organization/{orgname}/logs" when enable FEATURE_SUPERUSERS_FULL_ACCESS
=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*= -> super user token : XZre7yUiq7F4DLzGsFAT60NuxOTuiKdkICmuwKaG -> normal user token: KSN96FEMn02FrpCsYNjRQrLG3Ps8aWIdSnmSDqan -> -> Specific organization logs =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*= $ curl -k -X GET -H "Content-Type: application/json" -H "Authorization: Bearer XZre7yUiq7F4DLzGsFAT60NuxOTuiKdkICmuwKaG" https://quayregistry-quay-quay-enterprise.apps.whu415aw12.qe.devcluster.openshift.com/api/v1/organization/user1_org/logs % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 271 100 271 0 0 265 0 0:00:01 0:00:01 --:--:-- 265 { "detail": "Unauthorized", "error_message": "Unauthorized", "error_type": "insufficient_scope", "title": "insufficient_scope", "type": "https://quayregistry-quay-quay-enterprise.apps.whu415aw12.qe.devcluster.openshift.com/api/v1/error/insufficient_scope", "status": 403 }
Expected results
Super user can get logs of organization created by normal user by calling api "GET /api/v1/organization/{orgname}/logs" when enable FEATURE_SUPERUSERS_FULL_ACCESS
Additional Information:
Normal user "user1" can get organization logs by calling api "GET /api/v1/organization/{orgname}/logs" successfully.
=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*= -> super user token : XZre7yUiq7F4DLzGsFAT60NuxOTuiKdkICmuwKaG -> normal user token: KSN96FEMn02FrpCsYNjRQrLG3Ps8aWIdSnmSDqan -> -> Specific organization logs =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*= ------------------------------ $ curl -k -X GET -H "Content-Type: application/json" -H "Authorization: Bearer KSN96FEMn02FrpCsYNjRQrLG3Ps8aWIdSnmSDqan" https://quayregistry-quay-quay-enterprise.apps.whu415aw12.qe.devcluster.openshift.com/api/v1/organization/user1_org/logs % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 5486 100 5486 0 0 734 0 0:00:07 0:00:07 --:--:-- 1305 { "start_time": "Mon, 06 May 2024 06:34:48 -0000", "end_time": "Wed, 08 May 2024 06:34:48 -0000", "logs": [ { "kind": "add_repo_notification", "metadata": { "repo": "user1_repo", "namespace": "user1_org", "notification_id": "7187e9ba-e9ef-4d98-9dac-2c93a03dd9eb", "event": "repo_push", "method": "webhook", "oauth_token_id": 3, "oauth_token_application_id": "LTL400RYF7G9S3HTBNRL", "oauth_token_application": "curl" }, "ip": "10.128.2.7", "datetime": "Tue, 07 May 2024 05:14:44 -0000", "performer": { "kind": "user", "name": "user1", "is_robot": false, "avatar": { "name": "user1", "hash": "ec5c561a29086fa12280fca495b12fdd12c9cafb99182cd9307a3c2788197b9f", "color": "#e377c2", "kind": "user" } } }, { "kind": "create_application", "metadata": { "name": "user1_application", "application_name": "user1_application", "client_id": "ZLX0EGGTGFJDJA8J758Z", "oauth_token_id": 3, "oauth_token_application_id": "LTL400RYF7G9S3HTBNRL", "oauth_token_application": "curl" }, "ip": "10.128.2.7", "datetime": "Tue, 07 May 2024 05:14:40 -0000", "performer": { "kind": "user", "name": "user1", "is_robot": false, "avatar": { "name": "user1", "hash": "ec5c561a29086fa12280fca495b12fdd12c9cafb99182cd9307a3c2788197b9f", "color": "#e377c2", "kind": "user" } } }, { "kind": "create_prototype_permission", "metadata": { "prototypeid": "88f31ad8-85a6-4538-9436-221d7ef936fa", "username": "user1", "activating_username": "user1_org+user1_robot", "role": "read", "delegate_team": "user1_team", "oauth_token_id": 3, "oauth_token_application_id": "LTL400RYF7G9S3HTBNRL", "oauth_token_application": "curl" }, "ip": "10.128.2.7", "datetime": "Tue, 07 May 2024 05:14:37 -0000", "performer": { "kind": "user", "name": "user1", "is_robot": false, "avatar": { "name": "user1", "hash": "ec5c561a29086fa12280fca495b12fdd12c9cafb99182cd9307a3c2788197b9f", "color": "#e377c2", "kind": "user" } } }, { "kind": "create_robot", "metadata": { "robot": "user1_robot", "description": null, "unstructured_metadata": null, "oauth_token_id": 3, "oauth_token_application_id": "LTL400RYF7G9S3HTBNRL", "oauth_token_application": "curl" }, "ip": "10.128.2.7", "datetime": "Tue, 07 May 2024 05:14:36 -0000", "performer": { "kind": "user", "name": "user1", "is_robot": false, "avatar": { "name": "user1", "hash": "ec5c561a29086fa12280fca495b12fdd12c9cafb99182cd9307a3c2788197b9f", "color": "#e377c2", "kind": "user" } } }, { "kind": "org_add_team_member", "metadata": { "member": "user2", "team": "user1_team", "oauth_token_id": 3, "oauth_token_application_id": "LTL400RYF7G9S3HTBNRL", "oauth_token_application": "curl" }, "ip": "10.128.2.7", "datetime": "Tue, 07 May 2024 05:14:35 -0000", "performer": { "kind": "user", "name": "user1", "is_robot": false, "avatar": { "name": "user1", "hash": "ec5c561a29086fa12280fca495b12fdd12c9cafb99182cd9307a3c2788197b9f", "color": "#e377c2", "kind": "user" } } }, { "kind": "org_create_team", "metadata": { "team": "user1_team", "oauth_token_id": 3, "oauth_token_application_id": "LTL400RYF7G9S3HTBNRL", "oauth_token_application": "curl" }, "ip": "10.128.2.7", "datetime": "Tue, 07 May 2024 05:14:33 -0000", "performer": { "kind": "user", "name": "user1", "is_robot": false, "avatar": { "name": "user1", "hash": "ec5c561a29086fa12280fca495b12fdd12c9cafb99182cd9307a3c2788197b9f", "color": "#e377c2", "kind": "user" } } }, { "kind": "push_repo", "metadata": { "repo": "user1_repo", "namespace": "user1_org", "user-agent": "skopeo/1.14.2", "tag": "v2", "username": "user1", "resolved_ip": { "provider": "internet", "service": null, "sync_token": "1645662201", "country_iso_code": null, "aws_region": null, "continent": null } }, "ip": "10.131.0.5", "datetime": "Tue, 07 May 2024 05:14:31 -0000", "performer": { "kind": "user", "name": "user1", "is_robot": false, "avatar": { "name": "user1", "hash": "ec5c561a29086fa12280fca495b12fdd12c9cafb99182cd9307a3c2788197b9f", "color": "#e377c2", "kind": "user" } } }, { "kind": "push_repo", "metadata": { "repo": "user1_repo", "namespace": "user1_org", "user-agent": "skopeo/1.14.2", "tag": "v1", "username": "user1", "resolved_ip": { "provider": "internet", "service": null, "sync_token": "1645662201", "country_iso_code": null, "aws_region": null, "continent": null } }, "ip": "10.128.2.7", "datetime": "Tue, 07 May 2024 05:13:59 -0000", "performer": { "kind": "user", "name": "user1", "is_robot": false, "avatar": { "name": "user1", "hash": "ec5c561a29086fa12280fca495b12fdd12c9cafb99182cd9307a3c2788197b9f", "color": "#e377c2", "kind": "user" } } }, { "kind": "create_repo", "metadata": { "repo": "user1_repo", "namespace": "user1_org", "oauth_token_id": 3, "oauth_token_application_id": "LTL400RYF7G9S3HTBNRL", "oauth_token_application": "curl" }, "ip": "10.128.2.7", "datetime": "Tue, 07 May 2024 05:13:38 -0000", "performer": { "kind": "user", "name": "user1", "is_robot": false, "avatar": { "name": "user1", "hash": "ec5c561a29086fa12280fca495b12fdd12c9cafb99182cd9307a3c2788197b9f", "color": "#e377c2", "kind": "user" } } }, { "kind": "org_create", "metadata": { "email": "user1_org@bogus.com", "namespace": "user1_org", "oauth_token_id": 3, "oauth_token_application_id": "LTL400RYF7G9S3HTBNRL", "oauth_token_application": "curl" }, "ip": "10.128.2.7", "datetime": "Tue, 07 May 2024 05:13:37 -0000", "performer": { "kind": "user", "name": "user1", "is_robot": false, "avatar": { "name": "user1", "hash": "ec5c561a29086fa12280fca495b12fdd12c9cafb99182cd9307a3c2788197b9f", "color": "#e377c2", "kind": "user" } } } ], "next_page": "gAAAAABmOcuIIorkgwYcBVTS-4nugtQNao2uE6qkue6SEYQGnxnP3glO4afR1l67afPX6CNhY8IQT2ZeDy_2riDprIFuNg9ijA==" }
- relates to
-
PROJQUAY-7356 Improve support for quay superuser full access
-
- New
-
- links to
-
RHBA-2024:3938
Red Hat Quay v3.11.2 bug fix release
