-
Bug
-
Resolution: Done
-
Normal
-
quay-v3.11.0
-
False
-
None
-
False
-
PROJQUAY-6961 - Implement GLOBAL_READONLY_SUPER_USERS feature for LDAP users
-
-
Description of problem:
When enable FEATURE_SUPERUSERS_FULL_ACCESS, getOrganizationQuotaLimit API with super user token doesn't work against organization created by normal user.
Version-Release number of selected component (if applicable):
quay-operator-bundle-container-v3.11.1-18) ------------------------------ registry.redhat.io/quay/quay-operator-rhel8@sha256:a3a2171448b30385700e6f64633016abfb5dc331849a91cdc354405a32eb444c ------------------------------ registry.redhat.io/quay/quay-rhel8@sha256:bca647c67c7ece7fb427498db44af850ca05b4cba2f55b78d90fb9d7059883e7
How reproducible:
1. enable FEATURE_SUPERUSERS_FULL_ACCESS in quay config.yaml
FEATURE_SUPERUSERS_FULL_ACCESS: true
SUPER_USERS:
- whuquay
2. Create a normal user "user1" and a super user "whuquay".
3. log in quay by normal user "user1" and create a organization "user1_org"
4 set quota and limit for organization "user1_org" by super user
=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*= -> super user token : Uh7HKz1jKpzpkXqHb6eZncTwXDiuz18EkzZ8o0BC -> normal user token: pt6TaFkCp0oxKWvVMuIl5hhezFetGVgFF57zf3WU -> -> create organizaiton quota =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*= ------------------------------ $ curl -k -X POST -H 'Content-Type: application/json' -H "Authorization: Bearer Uh7HKz1jKpzpkXqHb6eZncTwXDiuz18EkzZ8o0BC" --data '{"limit_bytes": 100000000}' https://quayregistry-quay-quay-enterprise.apps.whu415aw14.qe.devcluster.openshift.com/api/v1/organization/user1_org/quota % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 36 100 10 100 26 6 18 0:00:01 0:00:01 --:--:-- 24 "Created" =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*= -> super user token : Uh7HKz1jKpzpkXqHb6eZncTwXDiuz18EkzZ8o0BC -> normal user token: pt6TaFkCp0oxKWvVMuIl5hhezFetGVgFF57zf3WU -> -> create organizaiton quota limit =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*= ------------------------------ $ curl -k -X POST -H 'Content-Type: application/json' -H "Authorization: Bearer Uh7HKz1jKpzpkXqHb6eZncTwXDiuz18EkzZ8o0BC" --data '{"type": "Warning","threshold_percent": 70}' https://quayregistry-quay-quay-enterprise.apps.whu415aw14.qe.devcluster.openshift.com/api/v1/organization/user1_org/quota/3/limit % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 53 100 10 100 43 10 45 0:00:01 --:--:-- 0:00:01 56 "Created" =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*= -> super user token : Uh7HKz1jKpzpkXqHb6eZncTwXDiuz18EkzZ8o0BC -> normal user token: pt6TaFkCp0oxKWvVMuIl5hhezFetGVgFF57zf3WU -> -> list organizaiton quota again =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*= ------------------------------ $ curl -k -X GET -H "Content-Type: application/json" -H "Authorization: Bearer Uh7HKz1jKpzpkXqHb6eZncTwXDiuz18EkzZ8o0BC" https://quayregistry-quay-quay-enterprise.apps.whu415aw14.qe.devcluster.openshift.com/api/v1/organization/user1_org/quota % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 158 100 158 0 0 167 0 --:--:-- --:--:-- --:--:-- 167 [ { "id": 3, "limit_bytes": 200000000, "default_config": false, "limits": [ { "id": 3, "type": "Warning", "limit_percent": 70 } ], "default_config_exists": false } ]
5. call getOrganizationQuotaLimit API with super user token against organization "user1_org".
Actual results:
Super user can't get specific quota limit information of organization created by normal user by calling API "GET /api/v1/organization/{orgname}/quota/{quota_id}/limit/{limit_id}" when enable FEATURE_SUPERUSERS_FULL_ACCESS
=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*= -> super user token : Uh7HKz1jKpzpkXqHb6eZncTwXDiuz18EkzZ8o0BC -> normal user token: pt6TaFkCp0oxKWvVMuIl5hhezFetGVgFF57zf3WU -> -> get organizaiton quota limit =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*= ------------------------------ $ curl -k -X GET -H 'Content-Type: application/json' -H "Authorization: Bearer Uh7HKz1jKpzpkXqHb6eZncTwXDiuz18EkzZ8o0BC" https://quayregistry-quay-quay-enterprise.apps.whu415aw14.qe.devcluster.openshift.com/api/v1/organization/user1_org/quota/3/limit/3 % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 271 100 271 0 0 291 0 --:--:-- --:--:-- --:--:-- 292 { "detail": "Unauthorized", "error_message": "Unauthorized", "error_type": "insufficient_scope", "title": "insufficient_scope", "type": "https://quayregistry-quay-quay-enterprise.apps.whu415aw14.qe.devcluster.openshift.com/api/v1/error/insufficient_scope", "status": 403 }
Expected results
Super user can get specific quota limit information of organization created by normal user by calling API "GET /api/v1/organization/{orgname}/quota/{quota_id}/limit/{limit_id}" when enable FEATURE_SUPERUSERS_FULL_ACCESS
Additional Information:
Normal user "user1" can get specific quota limit information of organization by calling API "GET /api/v1/organization/{orgname}/quota/{quota_id}/limit/{limit_id}" successfully.
=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*= -> super user token : Uh7HKz1jKpzpkXqHb6eZncTwXDiuz18EkzZ8o0BC -> normal user token: pt6TaFkCp0oxKWvVMuIl5hhezFetGVgFF57zf3WU -> -> get organizaiton quota limit by normal user =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*= ------------------------------ $ curl -k -X GET -H 'Content-Type: application/json' -H "Authorization: Bearer pt6TaFkCp0oxKWvVMuIl5hhezFetGVgFF57zf3WU" https://quayregistry-quay-quay-enterprise.apps.whu415aw14.qe.devcluster.openshift.com/api/v1/organization/user1_org/quota/3/limit/3 % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 50 100 50 0 0 52 0 --:--:-- --:--:-- --:--:-- 52 { "id": 3, "type": "Warning", "limit_percent": 70 }
- relates to
-
PROJQUAY-7356 Improve support for quay superuser full access
-
- New
-
- links to
-
RHBA-2024:3938
Red Hat Quay v3.11.2 bug fix release
