Type: Bug
Resolution: Done
Priority: Major
Fix Version/s: quay-v3.11.2
Affects Version/s: quay-v3.11.0
Component/s: quay
Labels:
- triaged

Blocked:
False
Blocked Reason:
None
Ready:
False
Epic Link:
quay-global-readonly-superuser
Feature Link:
PROJQUAY-6961 - Implement GLOBAL_READONLY_SUPER_USERS feature for LDAP users
Intelligence Requested:
Market:

SFDC Cases Links:
SFDC Cases Counter:
SFDC Cases Open:

Description of problem:

When enable FEATURE_SUPERUSERS_FULL_ACCESS, changeOrganizationDetails API with super user token doesn't work against organization created by normal user.

Version-Release number of selected component (if applicable):

quay-operator-bundle-container-v3.11.1-18)
------------------------------ 
registry.redhat.io/quay/quay-operator-rhel8@sha256:a3a2171448b30385700e6f64633016abfb5dc331849a91cdc354405a32eb444c
------------------------------
registry.redhat.io/quay/quay-rhel8@sha256:bca647c67c7ece7fb427498db44af850ca05b4cba2f55b78d90fb9d7059883e7

How reproducible:

1. Enable FEATURE_SUPERUSERS_FULL_ACCESS in quay config.yaml

FEATURE_SUPERUSERS_FULL_ACCESS: true 
SUPER_USERS:
  - whuquay
FEATURE_MAILING: true
MAIL_DEFAULT_SENDER: quay_qe@163.com
MAIL_PASSWORD: .......
MAIL_PORT: 25
MAIL_SERVER: smtp.163.com
MAIL_USE_AUTH: true
MAIL_USE_TLS: true
MAIL_USERNAME: quay_qe@163.com

2. Create a normal user "user1" and a super user "whuquay".

3. Log in quay by normal user "user1" and create a organization "user1_org"

4.Call changeOrganizationDetails API with super user token against organization "user1_org".

Actual results:

Super user can't update organization created by normal user by calling API "PUT /api/v1/organization/{orgname}" when enable FEATURE_SUPERUSERS_FULL_ACCESS

=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*=
-> super user token : XZre7yUiq7F4DLzGsFAT60NuxOTuiKdkICmuwKaG
-> normal user token: KSN96FEMn02FrpCsYNjRQrLG3Ps8aWIdSnmSDqan
->
-> update organization by super user
=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*=
------------------------------
%  curl -k -X PUT -H 'Accept: application/json' -H 'Content-Type: application/json' -H "Authorization: Bearer XZre7yUiq7F4DLzGsFAT60NuxOTuiKdkICmuwKaG"  --data '{"email":"updateemail@bogus.com"}' https://quayregistry-quay-quay-enterprise.apps.whu415aw12.qe.devcluster.openshift.com/api/v1/organization/user1_org|jq .
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   304  100   271  100    33    290     35 --:--:-- --:--:-- --:--:--   325
{
  "detail": "Unauthorized",
  "error_message": "Unauthorized",
  "error_type": "insufficient_scope",
  "title": "insufficient_scope",
  "type": "https://quayregistry-quay-quay-enterprise.apps.whu415aw12.qe.devcluster.openshift.com/api/v1/error/insufficient_scope",
  "status": 403
}

Expected results

Super user can update organization created by normal user by calling API "PUT /api/v1/organization/{orgname}" when enable FEATURE_SUPERUSERS_FULL_ACCESS

Additional Information:

Normal user "user1" can update organization by calling API "PUT /api/v1/organization/{orgname}" successfully.

=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*=
-> super user token : XZre7yUiq7F4DLzGsFAT60NuxOTuiKdkICmuwKaG
-> normal user token: KSN96FEMn02FrpCsYNjRQrLG3Ps8aWIdSnmSDqan
->
-> update organization by normal user
=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*= 

% curl -k -X PUT -H 'Accept: application/json' -H 'Content-Type: application/json' -H "Authorization: Bearer  KSN96FEMn02FrpCsYNjRQrLG3Ps8aWIdSnmSDqan"  --data '{"email":"updateemail@bogus.com"}' https://quayregistry-quay-quay-enterprise.apps.whu415aw12.qe.devcluster.openshift.com/api/v1/organization/user1_org|jq .


  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  1156  100  1123  100    33   1235     36 --:--:-- --:--:-- --:--:--  1271
{
  "name": "user1_org",
  "email": "updateemail@bogus.com",
  "avatar": {
    "name": "user1_org",
    "hash": "f579c6f942b541511cd1322b22aa87beb31a3d46c6081a8380a29d23b94a2a51",
    "color": "#5254a3",
    "kind": "user"
  },
  "is_admin": true,
  "is_member": true,
  "teams": {
    "owners": {
      "name": "owners",
      "description": "",
      "role": "admin",
      "avatar": {
        "name": "owners",
        "hash": "6f0e3a8c0eb46e8834b43b03374ece43a030621d92a7437beb48f871e90f8d90",
        "color": "#c7c7c7",
        "kind": "team"
      },
      "can_view": true,
      "repo_count": 0,
      "member_count": 1,
      "is_synced": false
    },
    "user1_team": {
      "name": "user1_team",
      "description": "",
      "role": "member",
      "avatar": {
        "name": "user1_team",
        "hash": "573545c1eceaf01f637d3e0fe05eb38ee91861600fff9a8c3cbf5568a76f7868",
        "color": "#9c9ede",
        "kind": "team"
      },
      "can_view": true,
      "repo_count": 0,
      "member_count": 1,
      "is_synced": false
    }
  },
  "ordered_teams": [
    "owners",
    "user1_team"
  ],
  "invoice_email": false,
  "invoice_email_address": null,
  "tag_expiration_s": 1209600,
  "is_free_account": true,
  "quotas": [],
  "quota_report": {
    "quota_bytes": 5594576,
    "configured_quota": null,
    "running_backfill": "complete",
    "backfill_status": "complete"
  }
}

relates to

PROJQUAY-7356 Improve support for quay superuser full access

New

links to

RHBA-2024:3938 Red Hat Quay v3.11.2 bug fix release

Details

Description

Description of problem:

Version-Release number of selected component (if applicable):

How reproducible:

Actual results:

Expected results

Additional Information:

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates