Uploaded image for project: 'Project Quay'
  1. Project Quay
  2. PROJQUAY-7148

removeOrganizationMember API with super user token doesn't work when enable FEATURE_SUPERUSERS_FULL_ACCESS

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • quay-v3.11.2
    • quay-v3.11.0
    • quay
    • 0

      Description of problem:

      When enable FEATURE_SUPERUSERS_FULL_ACCESS, removeOrganizationMember API with super user token doesn't work against organization created by normal user. 

      Version-Release number of selected component (if applicable):

      quay-operator-bundle-container-v3.11.1-18)
------------------------------ 
registry.redhat.io/quay/quay-operator-rhel8@sha256:a3a2171448b30385700e6f64633016abfb5dc331849a91cdc354405a32eb444c
------------------------------
registry.redhat.io/quay/quay-rhel8@sha256:bca647c67c7ece7fb427498db44af850ca05b4cba2f55b78d90fb9d7059883e7

      How reproducible:

      1. enable FEATURE_SUPERUSERS_FULL_ACCESS in quay config.yaml

      FEATURE_SUPERUSERS_FULL_ACCESS: true 
SUPER_USERS:
  - whuquay

      2. Create a normal user "user1" and "user2" and a super user "whuquay".

      3. log in quay by normal user "user1" and create a organization "user1_org"

      4 create a team and add user2 to this team

      5. call removeOrganizationMember API with super user token against organization "user1_org" to remove user2. 

      Actual results:

      Super user can't delete member user2 from organization created by normal user by calling API "DELETE /api/v1/organization/{orgname}/members/{membername}"  when enable FEATURE_SUPERUSERS_FULL_ACCESS

      =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*=
-> super user token : Uh7HKz1jKpzpkXqHb6eZncTwXDiuz18EkzZ8o0BC
-> normal user token: pt6TaFkCp0oxKWvVMuIl5hhezFetGVgFF57zf3WU
->
-> delete specific member by super user
=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*=

------------------------------
$ curl -k -X DELETE -H 'Accept: application/json' -H 'Content-Type: application/json' -H "Authorization: Bearer Uh7HKz1jKpzpkXqHb6eZncTwXDiuz18EkzZ8o0BC" https://quayregistry-quay-quay-enterprise.apps.whu415aw14.qe.devcluster.openshift.com/api/v1/organization/user1_org/members/user2
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   271  100   271    0     0    275      0 --:--:-- --:--:-- --:--:--   275
{
  "detail": "Unauthorized",
  "error_message": "Unauthorized",
  "error_type": "insufficient_scope",
  "title": "insufficient_scope",
  "type": "https://quayregistry-quay-quay-enterprise.apps.whu415aw14.qe.devcluster.openshift.com/api/v1/error/insufficient_scope",
  "status": 403
}

      Expected results

      Super user can delete member user2 from organization created by normal user by calling API "DELETE /api/v1/organization/{orgname}/members/{membername}"  when enable FEATURE_SUPERUSERS_FULL_ACCESS

      Additional Information:

      Normal user "user1" can delete member user2 from organization by  calling API "DELETE /api/v1/organization/{orgname}/members/{membername}" successfully.

      =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*=
-> super user token : Uh7HKz1jKpzpkXqHb6eZncTwXDiuz18EkzZ8o0BC
-> normal user token: pt6TaFkCp0oxKWvVMuIl5hhezFetGVgFF57zf3WU
->
-> delete specific member by normal user
=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*=

------------------------------ 

$ curl -k -X DELETE -H 'Accept: application/json' -H 'Content-Type: application/json' -H "Authorization: Bearer pt6TaFkCp0oxKWvVMuIl5hhezFetGVgFF57zf3WU" https://quayregistry-quay-quay-enterprise.apps.whu415aw14.qe.devcluster.openshift.com/api/v1/organization/user1_org/members/user2  

% Total    % Received % Xferd  Average Speed   Time    Time     Time  Current                                  Dload  Upload   Total   Spent    Left  Speed 100   271  100   271    0     0    275      0 --:--:-- --:--:-- --:--:--   275

            bcaton@redhat.com Brandon Caton
            rhwhu Weihua Hu
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: