-
Bug
-
Resolution: Done
-
Normal
-
None
-
quay-v3.11.0
-
False
-
None
-
False
-
PROJQUAY-6961 - Implement GLOBAL_READONLY_SUPER_USERS feature for LDAP users
-
-
Description of problem:
When enable FEATURE_SUPERUSERS_FULL_ACCESS, requestRepoBuild API with super user token doesn't work against the docker file uploaded by normal user.
Version-Release number of selected component (if applicable):
quay-operator-bundle-container-v3.11.1-18) ------------------------------ registry.redhat.io/quay/quay-operator-rhel8@sha256:a3a2171448b30385700e6f64633016abfb5dc331849a91cdc354405a32eb444c ------------------------------ registry.redhat.io/quay/quay-rhel8@sha256:bca647c67c7ece7fb427498db44af850ca05b4cba2f55b78d90fb9d7059883e7
How reproducible:
1. enable FEATURE_SUPERUSERS_FULL_ACCESS in quay config.yaml
FEATURE_SUPERUSERS_FULL_ACCESS: true SUPER_USERS: - whuquay FEATURE_BUILD_SUPPORT: true FEATURE_GITHUB_BUILD: true GITHUB_TRIGGER_CONFIG: API_ENDPOINT: https://api.github.com/ CLIENT_ID: ........ CLIENT_SECRET: ............. GITHUB_ENDPOINT: https://github.com/ BUILDMAN_HOSTNAME: quayregistry-quay-quay-enterprise.apps.whu415az20.qe.azure.devcluster.openshift.com:443 BUILD_MANAGER: - ephemeral - ALLOWED_WORKER_COUNT: 20 ORCHESTRATOR_PREFIX: buildman/production/ ORCHESTRATOR: REDIS_HOST: quayregistry-quay-redis REDIS_PASSWORD: "" REDIS_SSL: false REDIS_SKIP_KEYSPACE_EVENT_SETUP: false EXECUTORS: - EXECUTOR: kubernetesPodman DEBUG: true NAME: openshift BUILDER_NAMESPACE: virtual-builds SETUP_TIME: 180 QUAY_USERNAME: '........' QUAY_PASSWORD: e........8 BUILDER_CONTAINER_IMAGE: brew.registry.redhat.io/rh-osbs/quay-quay-builder-rhel8:v3.11.1-3 # Kubernetes resource options K8S_API_SERVER: api.whu415az20.qe.azure.devcluster.openshift.com:6443 K8S_API_TLS_CA: /conf/stack/extra_ca_certs/build_cluster.crt VOLUME_SIZE: 8G KUBERNETES_DISTRIBUTION: openshift CONTAINER_MEMORY_LIMITS: 1G CONTAINER_CPU_LIMITS: 1000m CONTAINER_MEMORY_REQUEST: 1G CONTAINER_CPU_REQUEST: 500m NODE_SELECTOR_LABEL_KEY: "" NODE_SELECTOR_LABEL_VALUE: "" SERVICE_ACCOUNT_NAME: quay-builder SERVICE_ACCOUNT_TOKEN: e........c USERFILES_LOCATION: default USERFILES_PATH: userfiles
2. Create a normal user "user1" and a super user "whuquay".
3. log in quay by normal user "user1" and create a repository "user1_org/user1_repo"
4 upload a docker file in build tab by user1
5. call requestRepoBuild API with super user token to start build process.
Actual results:
Super user can't start build process with the docker file uploaded by normal user by calling API "POST /api/v1/repository/{repository}/build/" when enable FEATURE_SUPERUSERS_FULL_ACCESS
=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*= -> super user token : Va0SO2U3VN8XeUChaxfDx3Qw7APhictyU2olj8gN -> normal user token: aKlf1DQPSV1bb3I7RkFoTRtxYoUSWquTGLcaGdW9 -> -> start a build with upload dockerfile by super user =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*= ------------------------------ $ curl -k -X POST -H 'Content-Type: application/json' -H "Authorization: Bearer Va0SO2U3VN8XeUChaxfDx3Qw7APhictyU2olj8gN" --data '{"file_id": "22673f9f-5174-426b-92eb-9bc14844db0b"}' https://quayregistry-quay-quay-enterprise.apps.whu415az20.qe.azure.devcluster.openshift.com/api/v1/repository/user1_org/user1_repo/build/ % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 328 100 277 100 51 220 40 0:00:01 0:00:01 --:--:-- 261 { "detail": "Unauthorized", "error_message": "Unauthorized", "error_type": "insufficient_scope", "title": "insufficient_scope", "type": "https://quayregistry-quay-quay-enterprise.apps.whu415az20.qe.azure.devcluster.openshift.com/api/v1/error/insufficient_scope", "status": 403 }
Expected results
Super user can start build process with the docker file uploaded by normal user by calling API "POST /api/v1/repository/{repository}/build/" when enable FEATURE_SUPERUSERS_FULL_ACCESS
Additional Information:
Normal user "user1" can start build process with the docker file by calling API "POST /api/v1/repository/{repository}/build/" successfully.
=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*= -> super user token : Va0SO2U3VN8XeUChaxfDx3Qw7APhictyU2olj8gN -> normal user token: aKlf1DQPSV1bb3I7RkFoTRtxYoUSWquTGLcaGdW9 -> -> start a build with upload dockerfile by normal user =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*= ------------------------------ % curl -k -X POST -H 'Content-Type: application/json' -H "Authorization: Bearer aKlf1DQPSV1bb3I7RkFoTRtxYoUSWquTGLcaGdW9" --data '{"file_id": "22673f9f-5174-426b-92eb-9bc14844db0b"}' https://quayregistry-quay-quay-enterprise.apps.whu415az20.qe.azure.devcluster.openshift.com/api/v1/repository/user1_org/user1_repo/build/ |jq . % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 793 100 742 100 51 530 36 0:00:01 0:00:01 --:--:-- 567 { "id": "42bc8d8a-49bb-4b95-8742-639f3afa41a3", "phase": "waiting", "started": "Thu, 09 May 2024 15:01:24 -0000", "display_name": "\"0x8DC7037A9A67586\"", "status": {}, "subdirectory": "/Dockerfile", "dockerfile_path": "/Dockerfile", "context": "/", "tags": [ "latest" ], "manual_user": "user1", "is_writer": true, "trigger": null, "trigger_metadata": {}, "resource_key": "22673f9f-5174-426b-92eb-9bc14844db0b", "pull_robot": null, "repository": { "namespace": "user1_org", "name": "user1_repo" }, "error": null, "archive_url": "https://whusc1.blob.core.windows.net/whusc1container/quaydata/userfiles/22673f9f-5174-426b-92eb-9bc14844db0b?se=2024-05-09T15%3A06%3A24Z&sp=r&sv=2019-12-12&sr=b&sig=P/%2BiYnf63X5qSm9wVcPqVQYyVo6iep%2BXysWjALfgsCA%3D" }
- relates to
-
PROJQUAY-7356 Improve support for quay superuser full access
-
- New
-
