-
Bug
-
Resolution: Done
-
Major
-
None
-
quay-v3.12.0
-
False
-
-
False
-
-
Description of problem:
After setting a user as global read-only super user, this user call below build APIs failed.
GET /api/v1/repository/{repository}/build/{build_uuid}/logs
GET /api/v1/superuser/{build_uuid}/status
GET /api/v1/superuser/{build_uuid}/build
GET /api/v1/superuser/{build_uuid}/logs
GET /api/v1/repository/{repository}/trigger/{trigger_uuid}/builds
GET /api/v1/repository/{repository}/trigger/{trigger_uuid}
GET /api/v1/repository/{repository}/trigger/
Version-Release number of selected component (if applicable):
quay-operator-bundle-container-v3.12.0-16
------------------------------
registry.redhat.io/quay/quay-rhel8@sha256:159d866d862b94cb954c1765393f963cd648b79892e8cc7a19a4df42f767c0cd
------------------------------
registry.redhat.io/quay/quay-rhel8@sha256:d0735d2e3bf076ac5d4b0c68bf791c29a214b94ffbcc98f57aa6bb564649f204
------------------------------
How reproducible:
1. enable GLOBAL_READONLY_SUPER_USERS in quay config.yaml
SUPER_USERS: - whuquay GLOBAL_READONLY_SUPER_USERS: - whuro BROWSER_API_CALLS_XHR_ONLY: false FEATURE_UI_V2: true ........
2. Create a normal user "user1" , a super user "whuquay" and a global read-only super user "whuro"
3. set up build environment, create a build trigger and trigger a build process
4 Call build APIs by global read-only super user
Actual results:
Global read-only super user call some build APIs failed
=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*= -> super user token : JSRudyKOLEHBM6fk0C5nwOAMoY9l1Kx25qBocyfG -> readonly user token : 2cPDNXw7OkWccP1pfzyNBW44zxrM2UtPnAqDHTw4 -> normal user token : Nn1PqRVBa6qodykQQfuDPqS0RuMWwllJbdV5l0AH -> -> list build triggers by admin super user =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*= ------------------------------ $ curl -k -X GET -H "Content-Type: application/json" -H "Authorization: Bearer JSRudyKOLEHBM6fk0C5nwOAMoY9l1Kx25qBocyfG" https://quayregistry-quay-quay-enterprise.apps.whu414az49.qe.azure.devcluster.openshift.com/api/v1/repository/user1_org/user1_repo/trigger/ % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 982 100 982 0 0 360 0 0:00:02 0:00:02 --:--:-- 360 { "triggers": [ { "id": "7bd0fb89-1069-472d-9d63-64ab5f2733e9", "service": "github", "is_active": true, "build_source": "hu-weihua/quay_build_test", "repository_url": "https://github.com/hu-weihua/quay_build_test", "config": { "build_source": "hu-weihua/quay_build_test", "dockerfile_path": "/Dockerfile", "context": "/", "default_tag_from_ref": true, "latest_for_default_branch": true, "tag_templates": [], "credentials": [ { "name": "SSH Public Key", "value": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCyYU3Itbo5qNCy8qzJVGtoZpbNiR5l7zb5JlwZLOwlTETO+yR1t5x8UZWrlQyC6jKrmlnO9HYOVcT2xJxH7Qd4h2GnyLVW2Qgr1fBdGhS63i3uP0XLy/r6IkGXdDgG7ARyMfRGAieTxjbubj6CLxZO4BCA4+uw07Ad5Px1Jdy6ZiwvjyRalxOREdTaPNONtj/AQsM+vIH7zy4EEZnWzhO/2rKb9YEqn0XeWzOsdPIiZJRoHE1edw85TuAaH36nN/XCX6yDbLSH9rXFZArM2oOg37mdl67MBuNAuiTTYUWG2v/spvm2oRO6JuXCEVMpurkmwecDKBlNYloHg5RAHQc9" } ], "deploy_key_id": 102774592, "hook_id": 487939365, "master_branch": "main" }, "can_invoke": true, "enabled": true, "disabled_reason": null } ] } =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*= -> super user token : JSRudyKOLEHBM6fk0C5nwOAMoY9l1Kx25qBocyfG -> readonly user token : 2cPDNXw7OkWccP1pfzyNBW44zxrM2UtPnAqDHTw4 -> normal user token : Nn1PqRVBa6qodykQQfuDPqS0RuMWwllJbdV5l0AH -> -> list build triggers by read-only user =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*= ------------------------------ $ curl -k -X GET -H "Content-Type: application/json" -H "Authorization: Bearer 2cPDNXw7OkWccP1pfzyNBW44zxrM2UtPnAqDHTw4" https://quayregistry-quay-quay-enterprise.apps.whu414az49.qe.azure.devcluster.openshift.com/api/v1/repository/user1_org/user1_repo/trigger/ % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 277 100 277 0 0 270 0 0:00:01 0:00:01 --:--:-- 271 { "detail": "Unauthorized", "error_message": "Unauthorized", "error_type": "insufficient_scope", "title": "insufficient_scope", "type": "https://quayregistry-quay-quay-enterprise.apps.whu414az49.qe.azure.devcluster.openshift.com/api/v1/error/insufficient_scope", "status": 403 } =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*= -> super user token : JSRudyKOLEHBM6fk0C5nwOAMoY9l1Kx25qBocyfG -> readonly user token : 2cPDNXw7OkWccP1pfzyNBW44zxrM2UtPnAqDHTw4 -> normal user token : Nn1PqRVBa6qodykQQfuDPqS0RuMWwllJbdV5l0AH -> -> get specific trigger info by admin super user =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*= ------------------------------ $ curl -k -X GET -H "Content-Type: application/json" -H "Authorization: Bearer JSRudyKOLEHBM6fk0C5nwOAMoY9l1Kx25qBocyfG" https://quayregistry-quay-quay-enterprise.apps.whu414az49.qe.azure.devcluster.openshift.com/api/v1/repository/user1_org/user1_repo/trigger/7bd0fb89-1069-472d-9d63-64ab5f2733e9 % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 966 100 966 0 0 931 0 0:00:01 0:00:01 --:--:-- 932 { "id": "7bd0fb89-1069-472d-9d63-64ab5f2733e9", "service": "github", "is_active": true, "build_source": "hu-weihua/quay_build_test", "repository_url": "https://github.com/hu-weihua/quay_build_test", "config": { "build_source": "hu-weihua/quay_build_test", "dockerfile_path": "/Dockerfile", "context": "/", "default_tag_from_ref": true, "latest_for_default_branch": true, "tag_templates": [], "credentials": [ { "name": "SSH Public Key", "value": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCyYU3Itbo5qNCy8qzJVGtoZpbNiR5l7zb5JlwZLOwlTETO+yR1t5x8UZWrlQyC6jKrmlnO9HYOVcT2xJxH7Qd4h2GnyLVW2Qgr1fBdGhS63i3uP0XLy/r6IkGXdDgG7ARyMfRGAieTxjbubj6CLxZO4BCA4+uw07Ad5Px1Jdy6ZiwvjyRalxOREdTaPNONtj/AQsM+vIH7zy4EEZnWzhO/2rKb9YEqn0XeWzOsdPIiZJRoHE1edw85TuAaH36nN/XCX6yDbLSH9rXFZArM2oOg37mdl67MBuNAuiTTYUWG2v/spvm2oRO6JuXCEVMpurkmwecDKBlNYloHg5RAHQc9" } ], "deploy_key_id": 102774592, "hook_id": 487939365, "master_branch": "main" }, "can_invoke": true, "enabled": true, "disabled_reason": null } =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*= -> super user token : JSRudyKOLEHBM6fk0C5nwOAMoY9l1Kx25qBocyfG -> readonly user token : 2cPDNXw7OkWccP1pfzyNBW44zxrM2UtPnAqDHTw4 -> normal user token : Nn1PqRVBa6qodykQQfuDPqS0RuMWwllJbdV5l0AH -> -> get specific trigger info by read-only user =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*= ------------------------------ $ curl -k -X GET -H "Content-Type: application/json" -H "Authorization: Bearer 2cPDNXw7OkWccP1pfzyNBW44zxrM2UtPnAqDHTw4" https://quayregistry-quay-quay-enterprise.apps.whu414az49.qe.azure.devcluster.openshift.com/api/v1/repository/user1_org/user1_repo/trigger/7bd0fb89-1069-472d-9d63-64ab5f2733e9 % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 277 100 277 0 0 268 0 0:00:01 0:00:01 --:--:-- 268 { "detail": "Unauthorized", "error_message": "Unauthorized", "error_type": "insufficient_scope", "title": "insufficient_scope", "type": "https://quayregistry-quay-quay-enterprise.apps.whu414az49.qe.azure.devcluster.openshift.com/api/v1/error/insufficient_scope", "status": 403 } /==*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*= -> super user token : JSRudyKOLEHBM6fk0C5nwOAMoY9l1Kx25qBocyfG -> readonly user token : 2cPDNXw7OkWccP1pfzyNBW44zxrM2UtPnAqDHTw4 -> normal user token : Nn1PqRVBa6qodykQQfuDPqS0RuMWwllJbdV5l0AH -> -> list trigger recent builds by admin super user =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*= ------------------------------ $ curl -k -X GET -H "Content-Type: application/json" -H "Authorization: Bearer JSRudyKOLEHBM6fk0C5nwOAMoY9l1Kx25qBocyfG" https://quayregistry-quay-quay-enterprise.apps.whu414az49.qe.azure.devcluster.openshift.com/api/v1/repository/user1_org/user1_repo/trigger/7bd0fb89-1069-472d-9d63-64ab5f2733e9/builds % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 691 100 691 0 0 673 0 0:00:01 0:00:01 --:--:-- 673 { "builds": [ { "id": "cf11178a-578d-4c4b-8e6e-6ac5b7a61008", "phase": "complete", "started": "Wed, 03 Jul 2024 08:53:27 -0000", "display_name": "7987520", "status": {}, "subdirectory": "/Dockerfile", "dockerfile_path": "/Dockerfile", "context": "/", "tags": [ "main", "latest" ], "manual_user": "user1", "is_writer": false, "trigger": { "id": "7bd0fb89-1069-472d-9d63-64ab5f2733e9", "service": "github", "is_active": true, "build_source": null, "repository_url": null, "config": {}, "can_invoke": false, "enabled": true, "disabled_reason": null }, "trigger_metadata": null, "resource_key": null, "pull_robot": null, "repository": { "namespace": "user1_org", "name": "user1_repo" }, "error": null } ] } =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*= -> super user token : JSRudyKOLEHBM6fk0C5nwOAMoY9l1Kx25qBocyfG -> readonly user token : 2cPDNXw7OkWccP1pfzyNBW44zxrM2UtPnAqDHTw4 -> normal user token : Nn1PqRVBa6qodykQQfuDPqS0RuMWwllJbdV5l0AH -> -> list trigger recent builds by read-only user =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*= ------------------------------ $ curl -k -X GET -H "Content-Type: application/json" -H "Authorization: Bearer 2cPDNXw7OkWccP1pfzyNBW44zxrM2UtPnAqDHTw4" https://quayregistry-quay-quay-enterprise.apps.whu414az49.qe.azure.devcluster.openshift.com/api/v1/repository/user1_org/user1_repo/trigger/7bd0fb89-1069-472d-9d63-64ab5f2733e9/builds % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 277 100 277 0 0 269 0 0:00:01 0:00:01 --:--:-- 269 { "detail": "Unauthorized", "error_message": "Unauthorized", "error_type": "insufficient_scope", "title": "insufficient_scope", "type": "https://quayregistry-quay-quay-enterprise.apps.whu414az49.qe.azure.devcluster.openshift.com/api/v1/error/insufficient_scope", "status": 403 } =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*= -> super user token : JSRudyKOLEHBM6fk0C5nwOAMoY9l1Kx25qBocyfG -> readonly user token : 2cPDNXw7OkWccP1pfzyNBW44zxrM2UtPnAqDHTw4 -> normal user token : Nn1PqRVBa6qodykQQfuDPqS0RuMWwllJbdV5l0AH -> -> get the specific build logs by read-only user =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*= ------------------------------ $ curl -k -X GET -H "Content-Type: application/json" -H "Authorization: Bearer 2cPDNXw7OkWccP1pfzyNBW44zxrM2UtPnAqDHTw4" https://quayregistry-quay-quay-enterprise.apps.whu414az49.qe.azure.devcluster.openshift.com/api/v1/repository/user1_org/user1_repo/build/cf11178a-578d-4c4b-8e6e-6ac5b7a61008/logs % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 277 100 277 0 0 266 0 0:00:01 0:00:01 --:--:-- 267 { "detail": "Unauthorized", "error_message": "Unauthorized", "error_type": "insufficient_scope", "title": "insufficient_scope", "type": "https://quayregistry-quay-quay-enterprise.apps.whu414az49.qe.azure.devcluster.openshift.com/api/v1/error/insufficient_scope", "status": 403 } =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*= -> super user token : JSRudyKOLEHBM6fk0C5nwOAMoY9l1Kx25qBocyfG -> readonly user token : 2cPDNXw7OkWccP1pfzyNBW44zxrM2UtPnAqDHTw4 -> normal user token : Nn1PqRVBa6qodykQQfuDPqS0RuMWwllJbdV5l0AH -> -> get build info by admin super user api =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*= ------------------------------ $ curl -k -X GET -H "Content-Type: application/json" -H "Authorization: Bearer JSRudyKOLEHBM6fk0C5nwOAMoY9l1Kx25qBocyfG" https://quayregistry-quay-quay-enterprise.apps.whu414az49.qe.azure.devcluster.openshift.com/api/v1/superuser/cf11178a-578d-4c4b-8e6e-6ac5b7a61008/build % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 593 100 593 0 0 346 0 0:00:01 0:00:01 --:--:-- 346 { "id": "cf11178a-578d-4c4b-8e6e-6ac5b7a61008", "phase": "complete", "started": "Wed, 03 Jul 2024 08:53:27 -0000", "display_name": "7987520", "status": {}, "subdirectory": "", "dockerfile_path": "", "context": "", "tags": [], "manual_user": null, "is_writer": false, "trigger": { "id": "7bd0fb89-1069-472d-9d63-64ab5f2733e9", "service": "github", "is_active": true, "build_source": null, "repository_url": null, "config": {}, "can_invoke": false }, "trigger_metadata": null, "resource_key": null, "pull_robot": null, "repository": { "namespace": "user1_org", "name": "user1_repo" }, "error": null } =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*= -> super user token : JSRudyKOLEHBM6fk0C5nwOAMoY9l1Kx25qBocyfG -> readonly user token : 2cPDNXw7OkWccP1pfzyNBW44zxrM2UtPnAqDHTw4 -> normal user token : Nn1PqRVBa6qodykQQfuDPqS0RuMWwllJbdV5l0AH -> -> get build info by read-only user api =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*= ------------------------------ $ curl -k -X GET -H "Content-Type: application/json" -H "Authorization: Bearer 2cPDNXw7OkWccP1pfzyNBW44zxrM2UtPnAqDHTw4" https://quayregistry-quay-quay-enterprise.apps.whu414az49.qe.azure.devcluster.openshift.com/api/v1/superuser/cf11178a-578d-4c4b-8e6e-6ac5b7a61008/build % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 277 100 277 0 0 269 0 0:00:01 0:00:01 --:--:-- 269 { "detail": "Unauthorized", "error_message": "Unauthorized", "error_type": "insufficient_scope", "title": "insufficient_scope", "type": "https://quayregistry-quay-quay-enterprise.apps.whu414az49.qe.azure.devcluster.openshift.com/api/v1/error/insufficient_scope", "status": 403 } =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*= -> super user token : JSRudyKOLEHBM6fk0C5nwOAMoY9l1Kx25qBocyfG -> readonly user token : 2cPDNXw7OkWccP1pfzyNBW44zxrM2UtPnAqDHTw4 -> normal user token : Nn1PqRVBa6qodykQQfuDPqS0RuMWwllJbdV5l0AH -> -> get build status by admin super user api =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*= ------------------------------ $ curl -k -X GET -H "Content-Type: application/json" -H "Authorization: Bearer JSRudyKOLEHBM6fk0C5nwOAMoY9l1Kx25qBocyfG" https://quayregistry-quay-quay-enterprise.apps.whu414az49.qe.azure.devcluster.openshift.com/api/v1/superuser/cf11178a-578d-4c4b-8e6e-6ac5b7a61008/status % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 593 100 593 0 0 575 0 0:00:01 0:00:01 --:--:-- 575 { "id": "cf11178a-578d-4c4b-8e6e-6ac5b7a61008", "phase": "complete", "started": "Wed, 03 Jul 2024 08:53:27 -0000", "display_name": "7987520", "status": {}, "subdirectory": "", "dockerfile_path": "", "context": "", "tags": [], "manual_user": null, "is_writer": false, "trigger": { "id": "7bd0fb89-1069-472d-9d63-64ab5f2733e9", "service": "github", "is_active": true, "build_source": null, "repository_url": null, "config": {}, "can_invoke": false }, "trigger_metadata": null, "resource_key": null, "pull_robot": null, "repository": { "namespace": "user1_org", "name": "user1_repo" }, "error": null } =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*= -> super user token : JSRudyKOLEHBM6fk0C5nwOAMoY9l1Kx25qBocyfG -> readonly user token : 2cPDNXw7OkWccP1pfzyNBW44zxrM2UtPnAqDHTw4 -> normal user token : Nn1PqRVBa6qodykQQfuDPqS0RuMWwllJbdV5l0AH -> -> get build status by read-only user api =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*= ------------------------------ $ curl -k -X GET -H "Content-Type: application/json" -H "Authorization: Bearer 2cPDNXw7OkWccP1pfzyNBW44zxrM2UtPnAqDHTw4" https://quayregistry-quay-quay-enterprise.apps.whu414az49.qe.azure.devcluster.openshift.com/api/v1/superuser/cf11178a-578d-4c4b-8e6e-6ac5b7a61008/status % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 277 100 277 0 0 276 0 0:00:01 0:00:01 --:--:-- 276 { "detail": "Unauthorized", "error_message": "Unauthorized", "error_type": "insufficient_scope", "title": "insufficient_scope", "type": "https://quayregistry-quay-quay-enterprise.apps.whu414az49.qe.azure.devcluster.openshift.com/api/v1/error/insufficient_scope", "status": 403 } =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*= -> super user token : JSRudyKOLEHBM6fk0C5nwOAMoY9l1Kx25qBocyfG -> readonly user token : 2cPDNXw7OkWccP1pfzyNBW44zxrM2UtPnAqDHTw4 -> normal user token : Nn1PqRVBa6qodykQQfuDPqS0RuMWwllJbdV5l0AH -> -> get build log by admin super user api =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*= ------------------------------ $ curl -k -X GET -H "Content-Type: application/json" -H "Authorization: Bearer JSRudyKOLEHBM6fk0C5nwOAMoY9l1Kx25qBocyfG" https://quayregistry-quay-quay-enterprise.apps.whu414az49.qe.azure.devcluster.openshift.com/api/v1/superuser/cf11178a-578d-4c4b-8e6e-6ac5b7a61008/logs % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 83953 100 83953 0 0 55003 0 0:00:01 0:00:01 --:--:-- 55015 { "start": 0, "total": 323, "logs": [ { "message": "build-scheduled", "type": "phase", "data": { "datetime": "2024-07-03 08:53:29.381399" } }, ............................. }, { "message": "complete", "type": "phase", "data": { "datetime": "2024-07-03 08:54:22.334238" } } ] } =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*= -> super user token : JSRudyKOLEHBM6fk0C5nwOAMoY9l1Kx25qBocyfG -> readonly user token : 2cPDNXw7OkWccP1pfzyNBW44zxrM2UtPnAqDHTw4 -> normal user token : Nn1PqRVBa6qodykQQfuDPqS0RuMWwllJbdV5l0AH -> -> get build log by read-only user api =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*= ------------------------------ $ curl -k -X GET -H "Content-Type: application/json" -H "Authorization: Bearer 2cPDNXw7OkWccP1pfzyNBW44zxrM2UtPnAqDHTw4" https://quayregistry-quay-quay-enterprise.apps.whu414az49.qe.azure.devcluster.openshift.com/api/v1/superuser/cf11178a-578d-4c4b-8e6e-6ac5b7a61008/logs % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 277 100 277 0 0 174 0 0:00:01 0:00:01 --:--:-- 174 { "detail": "Unauthorized", "error_message": "Unauthorized", "error_type": "insufficient_scope", "title": "insufficient_scope", "type": "https://quayregistry-quay-quay-enterprise.apps.whu414az49.qe.azure.devcluster.openshift.com/api/v1/error/insufficient_scope", "status": 403 }
Expected results
Global read-only super user call all builds APIs successfully.
