Uploaded image for project: 'Project Quay'
  1. Project Quay
  2. PROJQUAY-7158

listRepositoryAutoPrunePolicies API with super user token doesn't work when enable FEATURE_SUPERUSERS_FULL_ACCESS

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Normal Normal
    • quay-v3.11.2
    • quay-v3.11.0
    • quay

      Description of problem:

      When enable FEATURE_SUPERUSERS_FULL_ACCESS, listRepositoryAutoPrunePolicies API with super user token doesn't work against repository auto prune policy created by normal user. 

      Version-Release number of selected component (if applicable):

      quay-operator-bundle-container-v3.11.1-18)
      ------------------------------ 
      registry.redhat.io/quay/quay-operator-rhel8@sha256:a3a2171448b30385700e6f64633016abfb5dc331849a91cdc354405a32eb444c
      ------------------------------
      registry.redhat.io/quay/quay-rhel8@sha256:bca647c67c7ece7fb427498db44af850ca05b4cba2f55b78d90fb9d7059883e7

      How reproducible:

      1. enable FEATURE_SUPERUSERS_FULL_ACCESS in quay config.yaml

      FEATURE_SUPERUSERS_FULL_ACCESS: true 
      SUPER_USERS:
        - whuquay

      2. Create a normal user "user1" and a super user "whuquay".

      3. log in quay by normal user "user1" and create a repository "user1_org/user1_repo"

      4 create a repository auto prune policy by user1

      =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*=
      -> super user token : Uh7HKz1jKpzpkXqHb6eZncTwXDiuz18EkzZ8o0BC
      -> normal user token: pt6TaFkCp0oxKWvVMuIl5hhezFetGVgFF57zf3WU
      ->
      -> create repository policy by normal user
      =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*=
      
      
      ------------------------------
      $ curl -k -X POST -H 'Content-Type: application/json' -H "Authorization: Bearer pt6TaFkCp0oxKWvVMuIl5hhezFetGVgFF57zf3WU"  --data '{"method": "number_of_tags", "value": 10}' https://quayregistry-quay-quay-enterprise.apps.whu415aw14.qe.devcluster.openshift.com/api/v1/repository/user1_org/user1_repo/autoprunepolicy/
        % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                       Dload  Upload   Total   Spent    Left  Speed
      100    90  100    49  100    41     42     35  0:00:01  0:00:01 --:--:--    77
      {
        "uuid": "9941af3b-18c0-47f5-b62d-7bb25eec0d28"
      } 
      
      ------------------------------
      $ curl -k -X GET -H "Content-Type: application/json" -H "Authorization: Bearer pt6TaFkCp0oxKWvVMuIl5hhezFetGVgFF57zf3WU" https://quayregistry-quay-quay-enterprise.apps.whu415aw14.qe.devcluster.openshift.com/api/v1/repository/user1_org/user1_repo/autoprunepolicy/
        % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                       Dload  Upload   Total   Spent    Left  Speed
      100   106  100   106    0     0    106      0  0:00:01 --:--:--  0:00:01   106
      {
        "policies": [
          {
            "uuid": "9941af3b-18c0-47f5-b62d-7bb25eec0d28",
            "method": "number_of_tags",
            "value": 10
          }
        ]
      }

      5. run listRepositoryAutoPrunePolicies API with super user token against repository auto prune policy created by user1

      Actual results:

      Super user can't list repository auto prune policies created by normal user by API "GET /api/v1/repository/{repository}/autoprunepolicy/"  when enable FEATURE_SUPERUSERS_FULL_ACCESS

      =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*=
      -> super user token : Uh7HKz1jKpzpkXqHb6eZncTwXDiuz18EkzZ8o0BC
      -> normal user token: pt6TaFkCp0oxKWvVMuIl5hhezFetGVgFF57zf3WU
      ->
      -> list repository policies by super user
      =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*=
      
      ------------------------------
      $ curl -k -X GET -H "Content-Type: application/json" -H "Authorization: Bearer Uh7HKz1jKpzpkXqHb6eZncTwXDiuz18EkzZ8o0BC" https://quayregistry-quay-quay-enterprise.apps.whu415aw14.qe.devcluster.openshift.com/api/v1/repository/user1_org/user1_repo/autoprunepolicy/
        % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                       Dload  Upload   Total   Spent    Left  Speed
      100   271  100   271    0     0    256      0  0:00:01  0:00:01 --:--:--   256
      {
        "detail": "Unauthorized",
        "error_message": "Unauthorized",
        "error_type": "insufficient_scope",
        "title": "insufficient_scope",
        "type": "https://quayregistry-quay-quay-enterprise.apps.whu415aw14.qe.devcluster.openshift.com/api/v1/error/insufficient_scope",
        "status": 403
      }

      Expected results

      Super user can list repository auto prune policies created by normal user by API "GET /api/v1/repository/{repository}/autoprunepolicy/"   when enable FEATURE_SUPERUSERS_FULL_ACCESS

              bcaton@redhat.com Brandon Caton
              rhwhu Weihua Hu
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: