Uploaded image for project: 'Project Quay'
  1. Project Quay
  2. PROJQUAY-7175

activateBuildTrigger API with super user token doesn't work when enable FEATURE_SUPERUSERS_FULL_ACCESS

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Normal Normal
    • None
    • quay-v3.11.0
    • quay

      Description of problem:

      When enable FEATURE_SUPERUSERS_FULL_ACCESS, activateBuildTrigger API with super user token doesn't work against the build trigger created by normal user. 

      Version-Release number of selected component (if applicable):

      quay-operator-bundle-container-v3.11.1-18)
------------------------------ 
registry.redhat.io/quay/quay-operator-rhel8@sha256:a3a2171448b30385700e6f64633016abfb5dc331849a91cdc354405a32eb444c
------------------------------
registry.redhat.io/quay/quay-rhel8@sha256:bca647c67c7ece7fb427498db44af850ca05b4cba2f55b78d90fb9d7059883e7

      How reproducible:

      1. enable FEATURE_SUPERUSERS_FULL_ACCESS in quay config.yaml

      FEATURE_SUPERUSERS_FULL_ACCESS: true 
SUPER_USERS:
  - whuquay
FEATURE_BUILD_SUPPORT: true
FEATURE_GITHUB_BUILD: true
GITHUB_TRIGGER_CONFIG:
  API_ENDPOINT: https://api.github.com/
  CLIENT_ID: ........
  CLIENT_SECRET:  .............
  GITHUB_ENDPOINT: https://github.com/
BUILDMAN_HOSTNAME: quayregistry-quay-quay-enterprise.apps.whu415az20.qe.azure.devcluster.openshift.com:443 
BUILD_MANAGER:
- ephemeral
- ALLOWED_WORKER_COUNT: 20 
  ORCHESTRATOR_PREFIX: buildman/production/
  ORCHESTRATOR:
    REDIS_HOST: quayregistry-quay-redis
    REDIS_PASSWORD: ""
    REDIS_SSL: false
    REDIS_SKIP_KEYSPACE_EVENT_SETUP: false
  EXECUTORS:
  - EXECUTOR: kubernetesPodman
    DEBUG: true
    NAME: openshift
    BUILDER_NAMESPACE: virtual-builds 
    SETUP_TIME: 180
    QUAY_USERNAME: '........'
    QUAY_PASSWORD: e........8 
    BUILDER_CONTAINER_IMAGE: brew.registry.redhat.io/rh-osbs/quay-quay-builder-rhel8:v3.11.1-3 
    # Kubernetes resource options
    K8S_API_SERVER: api.whu415az20.qe.azure.devcluster.openshift.com:6443       K8S_API_TLS_CA: /conf/stack/extra_ca_certs/build_cluster.crt
    VOLUME_SIZE: 8G
    KUBERNETES_DISTRIBUTION: openshift
    CONTAINER_MEMORY_LIMITS: 1G 
    CONTAINER_CPU_LIMITS: 1000m
    CONTAINER_MEMORY_REQUEST: 1G 
    CONTAINER_CPU_REQUEST: 500m
    NODE_SELECTOR_LABEL_KEY: ""
    NODE_SELECTOR_LABEL_VALUE: ""
    SERVICE_ACCOUNT_NAME: quay-builder 
    SERVICE_ACCOUNT_TOKEN: e........c 
USERFILES_LOCATION: default
USERFILES_PATH: userfiles

      2. Create a normal user "user1"  and a super user "whuquay".

      3. log in quay by normal user "user1" and create a repository "user1_org/user1_repo"

      4  create a build trigger but do not configure it by user1 in web console

      5. call activateBuildTrigger API with super user token to configure this build trigger

       

      Actual results:

      Super user can't configure the build trigger created by normal user by calling API "POST /api/v1/repository/{repository}/trigger/{trigger_uuid}/activate"  when enable FEATURE_SUPERUSERS_FULL_ACCESS

      =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*=
-> super user token : Va0SO2U3VN8XeUChaxfDx3Qw7APhictyU2olj8gN
-> normal user token: aKlf1DQPSV1bb3I7RkFoTRtxYoUSWquTGLcaGdW9
->
-> list build triggers by super user
=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*=
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
------------------------------
$ curl -k -X GET -H "Content-Type: application/json" -H "Authorization: Bearer Va0SO2U3VN8XeUChaxfDx3Qw7APhictyU2olj8gN" https://quayregistry-quay-quay-enterprise.apps.whu415az20.qe.azure.devcluster.openshift.com/api/v1/repository/user1_org/user1_repo/trigger/
100   226  100   226    0     0    180      0  0:00:01  0:00:01 --:--:--   180
{
  "triggers": [
    {
      "id": "a34d64fe-a67f-49bf-b96d-fc6ce8ecfc60",
      "service": "github",
      "is_active": false,
      "build_source": null,
      "repository_url": null,
      "config": {},
      "can_invoke": true,
      "enabled": true,
      "disabled_reason": null
    }
  ]
}


=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*=
-> super user token : Va0SO2U3VN8XeUChaxfDx3Qw7APhictyU2olj8gN
-> normal user token: aKlf1DQPSV1bb3I7RkFoTRtxYoUSWquTGLcaGdW9
->
-> create build trigger by super user
=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*=


------------------------------
$ curl -k -X POST -H "Content-Type: application/json" -H "Authorization: Bearer Va0SO2U3VN8XeUChaxfDx3Qw7APhictyU2olj8gN" -d '{"config":{"build_source":"hu-weihua/quay_build_test","dockerfile_path":"/Dockerfile","context":"/","default_tag_from_ref":true,"latest_for_default_branch":true,"tag_templates":[]}}' https://quayregistry-quay-quay-enterprise.apps.whu415az20.qe.azure.devcluster.openshift.com/api/v1/repository/user1_org/user1_repo/trigger/a34d64fe-a67f-49bf-b96d-fc6ce8ecfc60/activate
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   458  100   277  100   181    234    152  0:00:01  0:00:01 --:--:--   387
{
  "detail": "Unauthorized",
  "error_message": "Unauthorized",
  "error_type": "insufficient_scope",
  "title": "insufficient_scope",
  "type": "https://quayregistry-quay-quay-enterprise.apps.whu415az20.qe.azure.devcluster.openshift.com/api/v1/error/insufficient_scope",
  "status": 403
}

      Expected results

      Super user can configure the build trigger created by normal user by calling API "POST /api/v1/repository/{repository}/trigger/{trigger_uuid}/activate"  when enable FEATURE_SUPERUSERS_FULL_ACCESS

      Additional Information:

      Normal user "user1"  can configure the build trigger by calling API "POST /api/v1/repository/{repository}/trigger/{trigger_uuid}/activate"  successfully.

      =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*=
-> super user token : Va0SO2U3VN8XeUChaxfDx3Qw7APhictyU2olj8gN
-> normal user token: aKlf1DQPSV1bb3I7RkFoTRtxYoUSWquTGLcaGdW9
->
-> create build trigger by normal user
=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*=

% curl -k -X POST -H "Content-Type: application/json" -H "Authorization: Bearer aKlf1DQPSV1bb3I7RkFoTRtxYoUSWquTGLcaGdW9" -d '{"config":{"build_source":"hu-weihua/quay_build_test","dockerfile_path":"/Dockerfile","context":"/","default_tag_from_ref":true,"latest_for_default_branch":true,"tag_templates":[]}}' https://quayregistry-quay-quay-enterprise.apps.whu415az20.qe.azure.devcluster.openshift.com/api/v1/repository/user1_org/user1_repo/trigger/a34d64fe-a67f-49bf-b96d-fc6ce8ecfc60/activate
{
  "id": "a34d64fe-a67f-49bf-b96d-fc6ce8ecfc60",
  "service": "github",
  "is_active": true,
  "build_source": "hu-weihua/quay_build_test",
  "repository_url": "https://github.com/hu-weihua/quay_build_test",
  "config": {
    "build_source": "hu-weihua/quay_build_test",
    "dockerfile_path": "/Dockerfile",
    "context": "/",
    "default_tag_from_ref": true,
    "latest_for_default_branch": true,
    "tag_templates": [],
    "credentials": [
      {
        "name": "SSH Public Key",
        "value": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDoltJBTFaEeiq3HxqqTcsf6hDiH/QZ3QiUBxfanukzR9cOHvkAX+QjCnrRiTVotURmhdTPan1Fo7PU57z8WEStsDM+byspJtI+qlDh3uEl2fCrCoTcwzasR3IMnYo/CJ7/mbBjfPGSknj3cJu8vpuVpB+aQy3kjwoUOdLVHyxJvdAZ5kfsViIETd3qXSyOkRIkSwydXNC6DBO0oEWGswvzvWWDDycmL24MRFBcD7FO1SxS5xom5O8N8JUW/JnmrIf3ymx7GV+QTozAGtLYog+bn5feYU1sCQuAIdAiK6ibVjNL+rsA35JRNuyNyHyVSLEdIBTSGVSh0LRfjqhXUozh"
      }
    ],
    "deploy_key_id": 99504314,
    "hook_id": 477277894,
    "master_branch": "main"
  },
  "can_invoke": true,
  "enabled": true,
  "disabled_reason": null
}

            bcaton@redhat.com Brandon Caton
            rhwhu Weihua Hu
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: