-
Bug
-
Resolution: Done
-
Normal
-
quay-v3.11.0
-
False
-
None
-
False
-
PROJQUAY-6961 - Implement GLOBAL_READONLY_SUPER_USERS feature for LDAP users
-
-
Description of problem:
When enable FEATURE_SUPERUSERS_FULL_ACCESS, getOrganizationPrototypePermissions API with super user token doesn't work against default permission created by normal user.
Version-Release number of selected component (if applicable):
quay-operator-bundle-container-v3.11.1-18) ------------------------------ registry.redhat.io/quay/quay-operator-rhel8@sha256:a3a2171448b30385700e6f64633016abfb5dc331849a91cdc354405a32eb444c ------------------------------ registry.redhat.io/quay/quay-rhel8@sha256:bca647c67c7ece7fb427498db44af850ca05b4cba2f55b78d90fb9d7059883e7
How reproducible:
1. enable FEATURE_SUPERUSERS_FULL_ACCESS in quay config.yaml
FEATURE_SUPERUSERS_FULL_ACCESS: true
SUPER_USERS:
- whuquay
2. Create a normal user "user1" , "user2" and a super user "whuquay".
3. log in quay by normal user "user1" and create a organization "user1_org"
4. create a team 'user1_team' and a robot account 'user1_robot'
5 create a default permission by normal user1
$ curl -k -X POST -H 'Accept: application/json' -H 'Content-Type: application/json' -H "Authorization: Bearer pt6TaFkCp0oxKWvVMuIl5hhezFetGVgFF57zf3WU" --data '{"delegate":{"name":"user1_team","kind":"team","is_org_member": true},"role":"read","activating_user":{"name":"user1_org+user1_robot","kind":"user","is_robot":true,"is_org_member":true}}' https://quayregistry-quay-quay-enterprise.apps.whu415aw12.qe.devcluster.openshift.com/api/v1/organization/user1_org/prototypes % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 716 100 530 100 186 306 107 0:00:01 0:00:01 --:--:-- 413 { "activating_user": { "name": "user1_org+user1_robot", "is_robot": true, "kind": "user", "is_org_member": true, "avatar": { "name": "user1_org+user1_robot", "hash": "33d7ac6acad38699949e2be1a660db8e544eb38b09a8719f9c0d3125a7d6e4cf", "color": "#9edae5", "kind": "robot" } }, "delegate": { "name": "user1_team", "kind": "team", "avatar": { "name": "user1_team", "hash": "573545c1eceaf01f637d3e0fe05eb38ee91861600fff9a8c3cbf5568a76f7868", "color": "#9c9ede", "kind": "team" } }, "role": "read", "id": "88f31ad8-85a6-4538-9436-221d7ef936fa" }
6. call getOrganizationPrototypePermissions API with super user token against default permission created in above step.
Actual results:
Super user can't list default permissions created by normal user by calling API "GET /api/v1/organization/{orgname}/prototypes" when enable FEATURE_SUPERUSERS_FULL_ACCESS
=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*= -> super user token : Uh7HKz1jKpzpkXqHb6eZncTwXDiuz18EkzZ8o0BC -> normal user token: pt6TaFkCp0oxKWvVMuIl5hhezFetGVgFF57zf3WU -> -> =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*= ------------------------------ $ curl -k -X GET -H "Content-Type: application/json" -H "Authorization: Bearer Uh7HKz1jKpzpkXqHb6eZncTwXDiuz18EkzZ8o0BC" https://quayregistry-quay-quay-enterprise.apps.whu415aw14.qe.devcluster.openshift.com/api/v1/organization/user1_org/prototypes % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 271 100 271 0 0 178 0 0:00:01 0:00:01 --:--:-- 178 { "detail": "Unauthorized", "error_message": "Unauthorized", "error_type": "insufficient_scope", "title": "insufficient_scope", "type": "https://quayregistry-quay-quay-enterprise.apps.whu415aw14.qe.devcluster.openshift.com/api/v1/error/insufficient_scope", "status": 403 }
Expected results
Super user can list default permissions created by normal user by calling API "GET /api/v1/organization/{orgname}/prototypes" when enable FEATURE_SUPERUSERS_FULL_ACCESS
Additional Information:
Normal user "user1" can list default permissions by calling API "GET /api/v1/organization/{orgname}/prototypes" successfully.
=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*= -> super user token : Uh7HKz1jKpzpkXqHb6eZncTwXDiuz18EkzZ8o0BC -> normal user token: pt6TaFkCp0oxKWvVMuIl5hhezFetGVgFF57zf3WU -> -> list team users by normal user =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*= $ curl -k -X GET -H "Content-Type: application/json" -H "Authorization: Bearer pt6TaFkCp0oxKWvVMuIl5hhezFetGVgFF57zf3WU" https://quayregistry-quay-quay-enterprise.apps.whu415aw14.qe.devcluster.openshift.com/api/v1/organization/user1_org/prototypes |jq . % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 548 100 548 0 0 575 0 --:--:-- --:--:-- --:--:-- 575 { "prototypes": [ { "activating_user": { "name": "user1_org+user1_robot", "is_robot": true, "kind": "user", "is_org_member": true, "avatar": { "name": "user1_org+user1_robot", "hash": "a39b271255ec8cbc41e9635b62060ea42f752cc3f803367aab74bb0b128520db", "color": "#ffbb78", "kind": "robot" } }, "delegate": { "name": "user1_team", "kind": "team", "avatar": { "name": "user1_team", "hash": "573545c1eceaf01f637d3e0fe05eb38ee91861600fff9a8c3cbf5568a76f7868", "color": "#9c9ede", "kind": "team" } }, "role": "read", "id": "3d7cbd7c-65f8-40bc-8c4e-fd6697f3ab00" } ] }
Super user can't list default permissions created by itself by API "GET /api/v1/organization/{orgname}/prototypes" either when enable FEATURE_SUPERUSERS_FULL_ACCESS
=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*= -> super user token : Uh7HKz1jKpzpkXqHb6eZncTwXDiuz18EkzZ8o0BC -> normal user token: pt6TaFkCp0oxKWvVMuIl5hhezFetGVgFF57zf3WU -> -> create new organization default permission by super user =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*= ------------------------------ $ curl -k -X POST -H 'Accept: application/json' -H 'Content-Type: application/json' -H "Authorization: Bearer Uh7HKz1jKpzpkXqHb6eZncTwXDiuz18EkzZ8o0BC" --data '{"delegate":{"name":"user1_team","kind":"team","is_org_member": true},"role":"read","activating_user":{"name":"user2","kind":"user","is_robot":false, "is_org_member":true}}' https://quayregistry-quay-quay-enterprise.apps.whu415aw14.qe.devcluster.openshift.com/api/v1/organization/user1_org/prototypes 100 671 100 499 100 172 490 169 0:00:01 0:00:01 --:--:-- 659 { "activating_user": { "name": "user2", "is_robot": false, "kind": "user", "is_org_member": false, "avatar": { "name": "user2", "hash": "0f6e39ad0c7e038ad8dfcc3459ac26a01191d8230505198cbfb623874254310f", "color": "#c7c7c7", "kind": "user" } }, "delegate": { "name": "user1_team", "kind": "team", "avatar": { "name": "user1_team", "hash": "573545c1eceaf01f637d3e0fe05eb38ee91861600fff9a8c3cbf5568a76f7868", "color": "#9c9ede", "kind": "team" } }, "role": "read", "id": "5a62c710-885a-438f-ac25-ef8f44ccd190" } ------------------------------ $ curl -k -X GET -H "Content-Type: application/json" -H "Authorization: Bearer Uh7HKz1jKpzpkXqHb6eZncTwXDiuz18EkzZ8o0BC" https://quayregistry-quay-quay-enterprise.apps.whu415aw14.qe.devcluster.openshift.com/api/v1/organization/user1_org/prototypes % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 271 100 271 0 0 178 0 0:00:01 0:00:01 --:--:-- 178 { "detail": "Unauthorized", "error_message": "Unauthorized", "error_type": "insufficient_scope", "title": "insufficient_scope", "type": "https://quayregistry-quay-quay-enterprise.apps.whu415aw14.qe.devcluster.openshift.com/api/v1/error/insufficient_scope", "status": 403 }
- relates to
-
PROJQUAY-7356 Improve support for quay superuser full access
-
- New
-
- links to
-
RHBA-2024:3938
Red Hat Quay v3.11.2 bug fix release
