Uploaded image for project: 'Project Quay'
  1. Project Quay
  2. PROJQUAY-7179

getOrganizationCollaborators API with super user token doesn't work when enable FEATURE_SUPERUSERS_FULL_ACCESS

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Normal Normal
    • None
    • quay-v3.11.0
    • quay

      Description of problem:

      When enable FEATURE_SUPERUSERS_FULL_ACCESS, getOrganizationCollaborators API with super user token doesn't work against organization created by normal user. 

      Version-Release number of selected component (if applicable):

      quay-operator-bundle-container-v3.11.1-18)
------------------------------ 
registry.redhat.io/quay/quay-operator-rhel8@sha256:a3a2171448b30385700e6f64633016abfb5dc331849a91cdc354405a32eb444c
------------------------------
registry.redhat.io/quay/quay-rhel8@sha256:bca647c67c7ece7fb427498db44af850ca05b4cba2f55b78d90fb9d7059883e7

      How reproducible:

      1. enable FEATURE_SUPERUSERS_FULL_ACCESS in quay config.yaml

      FEATURE_SUPERUSERS_FULL_ACCESS: true 
SUPER_USERS:
  - whuquay

      2. Create a normal user "user1" and "user3" and a super user "whuquay".

      3. log in quay by normal user "user1" and create a repository "user1_org/user1_repo1"

      4 give user3 write permission of repository "user1_org/user1_repo" by user1

      =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*=
-> super user token : Jb2V0SoFId1XNopz5Nf5GS0VR7O05vd0QWg82969
-> normal user token: m5e5KUS5vXvnDdwgTJa7QmvnJN4CQkjrCB2Fxf8b
=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*=

$ curl -k -X PUT -H 'Content-Type: application/json' -H "Authorization: Bearer m5e5KUS5vXvnDdwgTJa7QmvnJN4CQkjrCB2Fxf8b"  --data '{"role": "write"}' https://quayregistry-quay-quay-enterprise.apps.whu415az22.qe.azure.devcluster.openshift.com/api/v1/repository/user1_org/user1_repo1/permissions/user/user3
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   236  100   219  100    17    190     14  0:00:01  0:00:01 --:--:--   205
{
  "role": "write",
  "name": "user3",
  "is_robot": false,
  "avatar": {
    "name": "user3",
    "hash": "924773ae8821ac150e7cb9d042a11403e89be6499a826dc5714e969a1cfc832b",
    "color": "#17becf",
    "kind": "user"
  },
  "is_org_member": false
}

      5. call getOrganizationCollaborators API with super user token against organization "user1_org".

      Actual results:

      Super user can't get Collaborators of organization created by normal user by calling API "GET /api/v1/organization/{orgname}/collaborators"  when enable FEATURE_SUPERUSERS_FULL_ACCESS

      =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*=
-> super user token : Jb2V0SoFId1XNopz5Nf5GS0VR7O05vd0QWg82969
-> normal user token: m5e5KUS5vXvnDdwgTJa7QmvnJN4CQkjrCB2Fxf8b
->
-> call getOrganizationCollaborators by super user
=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*=


------------------------------
$ curl -k  -X GET -H "Content-Type: application/json" -H "Authorization: Bearer Jb2V0SoFId1XNopz5Nf5GS0VR7O05vd0QWg82969" https://quayregistry-quay-quay-enterprise.apps.whu415az22.qe.azure.devcluster.openshift.com/api/v1/organization/user1_org/collaborators
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   277  100   277    0     0    237      0  0:00:01  0:00:01 --:--:--   237
{
  "detail": "Unauthorized",
  "error_message": "Unauthorized",
  "error_type": "insufficient_scope",
  "title": "insufficient_scope",
  "type": "https://quayregistry-quay-quay-enterprise.apps.whu415az22.qe.azure.devcluster.openshift.com/api/v1/error/insufficient_scope",
  "status": 403
}

      Expected results

      Super user can get Collaborators of organization created by normal user by calling API "GET /api/v1/organization/{orgname}/collaborators"  when enable FEATURE_SUPERUSERS_FULL_ACCESS

      Additional Information:

      Normal user "user1" can get Collaborators of organization by calling API "GET /api/v1/organization/{orgname}/collaborators"  successfully.

      =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*=
-> super user token : Jb2V0SoFId1XNopz5Nf5GS0VR7O05vd0QWg82969
-> normal user token: m5e5KUS5vXvnDdwgTJa7QmvnJN4CQkjrCB2Fxf8b
->
-> call getOrganizationCollaborators by normal user
=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*=
 
% curl -k  -X GET -H "Content-Type: application/json" -H "Authorization: Bearer m5e5KUS5vXvnDdwgTJa7QmvnJN4CQkjrCB2Fxf8b " https://quayregistry-quay-quay-enterprise.apps.whu415az22.qe.azure.devcluster.openshift.com/api/v1/organization/user1_org/collaborators
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   229  100   229    0     0    205      0  0:00:01  0:00:01 --:--:--   205
{
  "collaborators": [
    {
      "kind": "user",
      "name": "user3",
      "avatar": {
        "name": "user3",
        "hash": "924773ae8821ac150e7cb9d042a11403e89be6499a826dc5714e969a1cfc832b",
        "color": "#17becf",
        "kind": "user"
      },
      "repositories": [
        "user1_repo1"
      ]
    }
  ]
}

            bcaton@redhat.com Brandon Caton
            rhwhu Weihua Hu
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: