Uploaded image for project: 'Project Quay'
  1. Project Quay
  2. PROJQUAY-7139

deleteAdminedOrganization api with super user token doesn't work when enable FEATURE_SUPERUSERS_FULL_ACCESS

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • quay-v3.11.2
    • quay-v3.11.0
    • quay

      Description of problem:

      When enable FEATURE_SUPERUSERS_FULL_ACCESS, deleteAdminedOrganization api with super user token doesn't work  against organization created by normal user. 

      Version-Release number of selected component (if applicable):

      quay-operator-bundle-container-v3.11.1-18)
------------------------------ 
registry.redhat.io/quay/quay-operator-rhel8@sha256:a3a2171448b30385700e6f64633016abfb5dc331849a91cdc354405a32eb444c
------------------------------
registry.redhat.io/quay/quay-rhel8@sha256:bca647c67c7ece7fb427498db44af850ca05b4cba2f55b78d90fb9d7059883e7

      How reproducible:

      1. enable FEATURE_SUPERUSERS_FULL_ACCESS in quay config.yaml

      FEATURE_SUPERUSERS_FULL_ACCESS: true 
SUPER_USERS:
  - whuquay

      2. Create a normal user "user1" and a super user "whuquay".

      3. log in quay by normal user "user1" and create a organization "user1_org"

      4. Call deleteAdminedOrganization API with super user token against organization "user1_org". 

      Actual results:

      Super user can't delete organization created by normal user by calling api "DELETE /api/v1/organization/{orgname}" when enable FEATURE_SUPERUSERS_FULL_ACCESS

      =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*=
-> super user token : XZre7yUiq7F4DLzGsFAT60NuxOTuiKdkICmuwKaG
-> normal user token: KSN96FEMn02FrpCsYNjRQrLG3Ps8aWIdSnmSDqan
->
-> delete organization by super user
=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*=
------------------------------
%  curl -k  -X DELETE -H "Content-Type: application/json" -H "Authorization: Bearer XZre7yUiq7F4DLzGsFAT60NuxOTuiKdkICmuwKaG" https://quayregistry-quay-quay-enterprise.apps.whu415aw12.qe.devcluster.openshift.com/api/v1/organization/user1_org1|jq .
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   271  100   271    0     0    307      0 --:--:-- --:--:-- --:--:--   306
{
  "detail": "Unauthorized",
  "error_message": "Unauthorized",
  "error_type": "insufficient_scope",
  "title": "insufficient_scope",
  "type": "https://quayregistry-quay-quay-enterprise.apps.whu415aw12.qe.devcluster.openshift.com/api/v1/error/insufficient_scope",
  "status": 403
}

      Expected results

      Super user can delete organization created by normal user by calling api "DELETE /api/v1/organization/{orgname}" when enable FEATURE_SUPERUSERS_FULL_ACCESS

      Additional Information:

      Normal user "user1" can delete organization by calling api "DELETE /api/v1/organization/{orgname}" successfully.

      =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*=
-> super user token : XZre7yUiq7F4DLzGsFAT60NuxOTuiKdkICmuwKaG
-> normal user token: KSN96FEMn02FrpCsYNjRQrLG3Ps8aWIdSnmSDqan
->
-> delete organization by normal user
=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*= 

%% curl -k  -X DELETE -H "Content-Type: application/json" -H "Authorization: Bearer KSN96FEMn02FrpCsYNjRQrLG3Ps8aWIdSnmSDqan" https://quayregistry-quay-quay-enterprise.apps.whu415aw12.qe.devcluster.openshift.com/api/v1/organization/user1_org1 |jq .
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--    

              bcaton@redhat.com Brandon Caton
              rhwhu Weihua Hu
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: