Uploaded image for project: 'Project Quay'
  1. Project Quay
  2. PROJQUAY-7135

getAggregateOrgLogs api with super user token doesn't work when enable FEATURE_SUPERUSERS_FULL_ACCESS

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • quay-v3.11.2
    • quay-v3.11.0
    • quay

      Description of problem:

      When enable FEATURE_SUPERUSERS_FULL_ACCESS, getAggregateOrgLogs api with super user token doesn't work  against organization created by normal user.  

      Version-Release number of selected component (if applicable):

      quay-operator-bundle-container-v3.11.1-18)
------------------------------ 
registry.redhat.io/quay/quay-operator-rhel8@sha256:a3a2171448b30385700e6f64633016abfb5dc331849a91cdc354405a32eb444c
------------------------------
registry.redhat.io/quay/quay-rhel8@sha256:bca647c67c7ece7fb427498db44af850ca05b4cba2f55b78d90fb9d7059883e7

      How reproducible:

      1. enable FEATURE_SUPERUSERS_FULL_ACCESS in quay config.yaml

      FEATURE_SUPERUSERS_FULL_ACCESS: true 
SUPER_USERS:
  - whuquay

      2. Create a normal user "user1" and a super user "whuquay".

      3. log in quay by normal user "user1" and create a repository "user1_org/user1_repo"

      4. push a image to repository "user1_org/user1_repo"

      5. call  getAggregateOrgLogs API with super user token against organization "user1_org". 

      Actual results:

      Super user can't get aggregate logs of organization created by normal user by calling api "GET /api/v1/organization/{orgname}/aggregatelogs" when enable FEATURE_SUPERUSERS_FULL_ACCESS

      =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*=
-> super user token : XZre7yUiq7F4DLzGsFAT60NuxOTuiKdkICmuwKaG
-> normal user token: KSN96FEMn02FrpCsYNjRQrLG3Ps8aWIdSnmSDqan
->
-> Specific organization AggregateOrgLogs
=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*=

$ curl -k  -X GET -H "Content-Type: application/json" -H "Authorization: Bearer XZre7yUiq7F4DLzGsFAT60NuxOTuiKdkICmuwKaG" https://quayregistry-quay-quay-enterprise.apps.whu415aw12.qe.devcluster.openshift.com/api/v1/organization/user1_org/aggregatelogs
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   271  100   271    0     0    270      0  0:00:01  0:00:01 --:--:--   270
{
  "detail": "Unauthorized",
  "error_message": "Unauthorized",
  "error_type": "insufficient_scope",
  "title": "insufficient_scope",
  "type": "https://quayregistry-quay-quay-enterprise.apps.whu415aw12.qe.devcluster.openshift.com/api/v1/error/insufficient_scope",
  "status": 403
}

       

      Expected results

      Super user can get aggregate logs of organization created by normal  by calling api "GET /api/v1/organization/{orgname}/aggregatelogs" when enable FEATURE_SUPERUSERS_FULL_ACCESS

      Additional Information:

      Normal user "user1" can  get aggregate organization logs  by calling api "GET /api/v1/organization/{orgname}/aggregatelogs" successfully. 

      =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*=
-> super user token : XZre7yUiq7F4DLzGsFAT60NuxOTuiKdkICmuwKaG
-> normal user token: KSN96FEMn02FrpCsYNjRQrLG3Ps8aWIdSnmSDqan
->
-> Specific organization AggregateOrgLogs
=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*=

% curl -k  -X GET -H "Content-Type: application/json" -H "Authorization: Bearer KSN96FEMn02FrpCsYNjRQrLG3Ps8aWIdSnmSDqan" https://quayregistry-quay-quay-enterprise.apps.whu415aw12.qe.devcluster.openshift.com/api/v1/organization/user1_org/aggregatelogs|jq .
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   816  100   816    0     0    811      0  0:00:01  0:00:01 --:--:--   812
{
  "aggregated": [
    {
      "kind": "add_repo_notification",
      "count": 1,
      "datetime": "Tue, 07 May 2024 00:00:00 -0000"
    },
    {
      "kind": "create_application",
      "count": 1,
      "datetime": "Tue, 07 May 2024 00:00:00 -0000"
    },
    {
      "kind": "create_prototype_permission",
      "count": 1,
      "datetime": "Tue, 07 May 2024 00:00:00 -0000"
    },
    {
      "kind": "create_repo",
      "count": 1,
      "datetime": "Tue, 07 May 2024 00:00:00 -0000"
    },
    {
      "kind": "create_robot",
      "count": 1,
      "datetime": "Tue, 07 May 2024 00:00:00 -0000"
    },
    {
      "kind": "org_add_team_member",
      "count": 1,
      "datetime": "Tue, 07 May 2024 00:00:00 -0000"
    },
    {
      "kind": "org_create_team",
      "count": 1,
      "datetime": "Tue, 07 May 2024 00:00:00 -0000"
    },
    {
      "kind": "push_repo",
      "count": 2,
      "datetime": "Tue, 07 May 2024 00:00:00 -0000"
    },
    {
      "kind": "org_create",
      "count": 1,
      "datetime": "Tue, 07 May 2024 00:00:00 -0000"
    }
  ]
}

              bcaton@redhat.com Brandon Caton
              rhwhu Weihua Hu
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: