-
Bug
-
Resolution: Done
-
Major
-
quay-v3.12.0
Description of problem:
After setting a user as global read-only super user, this user call below superuser APIs failed.
GET /api/v1/superuser/users/ GET /api/v1/superuser/logs GET /api/v1/superuser/users/{namespace}/quota GET /api/v1/superuser/registrysize/ GET /api/v1/superuser/keys GET /api/v1/superuser/keys/{kid}
Version-Release number of selected component (if applicable):
quay-operator-bundle-container-v3.12.0-16
------------------------------
registry.redhat.io/quay/quay-rhel8@sha256:159d866d862b94cb954c1765393f963cd648b79892e8cc7a19a4df42f767c0cd
------------------------------
registry.redhat.io/quay/quay-rhel8@sha256:d0735d2e3bf076ac5d4b0c68bf791c29a214b94ffbcc98f57aa6bb564649f204
------------------------------
How reproducible:
1. enable GLOBAL_READONLY_SUPER_USERS in quay config.yaml
SUPER_USERS: - whuquay GLOBAL_READONLY_SUPER_USERS: - whuro BROWSER_API_CALLS_XHR_ONLY: false FEATURE_UI_V2: true ........
2. Create a normal user "user1" , a super user "whuquay" and a global read-only super user "whuro"
3. log in quay by normal user "user1" and create a repository "user1_org/user1_repo"
4 Call build APIs by global read-only super user
Actual results:
Global read-only super user call some superuser APIs failed
=========To test super user APIs by super user========== =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*= -> super user token : JSRudyKOLEHBM6fk0C5nwOAMoY9l1Kx25qBocyfG -> readonly user token : 2cPDNXw7OkWccP1pfzyNBW44zxrM2UtPnAqDHTw4 -> normal user token : Nn1PqRVBa6qodykQQfuDPqS0RuMWwllJbdV5l0AH -> -> call createInstallUser by admin super user =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*= ------------------------------ $ curl -k -X POST -H 'Content-Type: application/json' -H "Authorization: Bearer JSRudyKOLEHBM6fk0C5nwOAMoY9l1Kx25qBocyfG" --data '{"username": "installuser"}' https://quayregistry-quay-quay-enterprise.apps.whu414az49.qe.azure.devcluster.openshift.com/api/v1/superuser/users/ % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 252 100 225 100 27 166 19 0:00:01 0:00:01 --:--:-- 186 { "username": "installuser", "email": null, "password": "2E5VAAYH57XQQK1PXJMNUTJABQRU896R", "encrypted_password": "6Upk90Cwfrm6WwjmDK+ka6RdpVkSH0FFUX1rET/xTmOG7R9+glYr6zQK5Zi7EHfzlb6iW4R3xq5R5hmWRzZzl5w68kUq5bAIs5dlXK2729k=" } =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*= -> super user token : JSRudyKOLEHBM6fk0C5nwOAMoY9l1Kx25qBocyfG -> readonly user token : 2cPDNXw7OkWccP1pfzyNBW44zxrM2UtPnAqDHTw4 -> normal user token : Nn1PqRVBa6qodykQQfuDPqS0RuMWwllJbdV5l0AH -> -> call listAllUsers by admin super user =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*= ------------------------------ $ curl -k -X GET -H "Content-Type: application/json" -H "Authorization: Bearer JSRudyKOLEHBM6fk0C5nwOAMoY9l1Kx25qBocyfG" https://quayregistry-quay-quay-enterprise.apps.whu414az49.qe.azure.devcluster.openshift.com/api/v1/superuser/users/ % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 5283 100 5283 0 0 5025 0 0:00:01 0:00:01 --:--:-- 5026 { "users": [ { "kind": "user", "name": "whuquay", "username": "whuquay", "email": "quay+test@redhat.com", "verified": true, "avatar": { "name": "whuquay", "hash": "369072bc5a39f354a0e8e431e15427764f9d02f7ff266b4b9adffbc0128bed65", "color": "#6b6ecf", "kind": "user" }, "super_user": true, "enabled": true, "quotas": [], "quota_report": { "quota_bytes": 0, "configured_quota": null, "running_backfill": "complete", "backfill_status": "complete" } }, ......... { "kind": "user", "name": "installuser", "username": "installuser", "email": "05d7ce27-6328-44bc-bb00-19d4d2a3035f", "verified": true, "avatar": { "name": "installuser", "hash": "64417d7fe37741aaec44017cb17c8be8f103a240402b671741f0b43b6c1ebc18", "color": "#2ca02c", "kind": "user" }, "super_user": false, "enabled": true, "quotas": [], "quota_report": { "quota_bytes": 0, "configured_quota": null, "running_backfill": "waiting", "backfill_status": "waiting" } } ] } =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*= -> super user token : JSRudyKOLEHBM6fk0C5nwOAMoY9l1Kx25qBocyfG -> readonly user token : 2cPDNXw7OkWccP1pfzyNBW44zxrM2UtPnAqDHTw4 -> normal user token : Nn1PqRVBa6qodykQQfuDPqS0RuMWwllJbdV5l0AH -> -> call listAllUsers by read-only user =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*= ------------------------------ $ curl -k -X GET -H "Content-Type: application/json" -H "Authorization: Bearer 2cPDNXw7OkWccP1pfzyNBW44zxrM2UtPnAqDHTw4" https://quayregistry-quay-quay-enterprise.apps.whu414az49.qe.azure.devcluster.openshift.com/api/v1/superuser/users/ % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 277 100 277 0 0 113 0 0:00:02 0:00:02 --:--:-- 113 { "detail": "Unauthorized", "error_message": "Unauthorized", "error_type": "insufficient_scope", "title": "insufficient_scope", "type": "https://quayregistry-quay-quay-enterprise.apps.whu414az49.qe.azure.devcluster.openshift.com/api/v1/error/insufficient_scope", "status": 403 } =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*= -> super user token : JSRudyKOLEHBM6fk0C5nwOAMoY9l1Kx25qBocyfG -> readonly user token : 2cPDNXw7OkWccP1pfzyNBW44zxrM2UtPnAqDHTw4 -> normal user token : Nn1PqRVBa6qodykQQfuDPqS0RuMWwllJbdV5l0AH -> -> call listAllLogs by admin super user =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*= ------------------------------ $ curl -k -X GET -H "Content-Type: application/json" -H "Authorization: Bearer JSRudyKOLEHBM6fk0C5nwOAMoY9l1Kx25qBocyfG" https://quayregistry-quay-quay-enterprise.apps.whu414az49.qe.azure.devcluster.openshift.com/api/v1/superuser/logs % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 13075 100 13075 0 0 12951 0 0:00:01 0:00:01 --:--:-- 12958 { "start_time": "Tue, 02 Jul 2024 08:16:23 -0000", "end_time": "Thu, 04 Jul 2024 08:16:23 -0000", "logs": [ { "kind": "user_create", "metadata": { "email": null, "username": "installuser", "superuser": "whuquay", "oauth_token_id": 2, "oauth_token_application_id": "2NW37JCUFGGS3PZRNU1G", "oauth_token_application": "curl" }, ........ "name": "user1_org", "hash": "776804aac1b838e463c049cbbc27d9cbc73329e4cae93f11226fafe87e479888", "color": "#9c9ede", "kind": "org" } } } ], "next_page": "gAAAAABmhQjXQwyCu_z8vRzKjYvrfbtxcQI_HBo9IcXFkD3TxzJnbMbsuq2528mtrlMxcvFLIuXl3B82zLFD8sk52y670QFN7_OzFTffCJEJtA-AxufUqYSEPoJ1OmwBD9SpYY7raddWchwqqWX4EVAURzvH2U53ZiPk9-1PRrmvnrW0qLUOzj8KblcsKjt19O1cLfBcZmUkz2oOe3VoAzGkSWGM6uZ94Q==" } =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*= -> super user token : JSRudyKOLEHBM6fk0C5nwOAMoY9l1Kx25qBocyfG -> readonly user token : 2cPDNXw7OkWccP1pfzyNBW44zxrM2UtPnAqDHTw4 -> normal user token : Nn1PqRVBa6qodykQQfuDPqS0RuMWwllJbdV5l0AH -> -> call listAllLogs by read-only user =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*= ------------------------------ $ curl -k -X GET -H "Content-Type: application/json" -H "Authorization: Bearer 2cPDNXw7OkWccP1pfzyNBW44zxrM2UtPnAqDHTw4" https://quayregistry-quay-quay-enterprise.apps.whu414az49.qe.azure.devcluster.openshift.com/api/v1/superuser/logs % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 277 100 277 0 0 276 0 0:00:01 0:00:01 --:--:-- 277 { "detail": "Unauthorized", "error_message": "Unauthorized", "error_type": "insufficient_scope", "title": "insufficient_scope", "type": "https://quayregistry-quay-quay-enterprise.apps.whu414az49.qe.azure.devcluster.openshift.com/api/v1/error/insufficient_scope", "status": 403 } =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*= -> super user token : JSRudyKOLEHBM6fk0C5nwOAMoY9l1Kx25qBocyfG -> readonly user token : 2cPDNXw7OkWccP1pfzyNBW44zxrM2UtPnAqDHTw4 -> normal user token : Nn1PqRVBa6qodykQQfuDPqS0RuMWwllJbdV5l0AH -> -> call createOrganizationQuotaSuperUser by admin super user =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*= ------------------------------ $ curl -k -X POST -H 'Content-Type: application/json' -H "Authorization: Bearer JSRudyKOLEHBM6fk0C5nwOAMoY9l1Kx25qBocyfG" --data '{"limit_bytes": 2147483648}' https://quayregistry-quay-quay-enterprise.apps.whu414az49.qe.azure.devcluster.openshift.com/api/v1/superuser/users/user3/quota % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 335 100 308 100 27 303 26 0:00:01 0:00:01 --:--:-- 330 { "detail": "Quota for 'user3' already exists", "error_message": "Quota for 'user3' already exists", "error_type": "invalid_request", "title": "invalid_request", "type": "https://quayregistry-quay-quay-enterprise.apps.whu414az49.qe.azure.devcluster.openshift.com/api/v1/error/invalid_request", "status": 400 } =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*= -> super user token : JSRudyKOLEHBM6fk0C5nwOAMoY9l1Kx25qBocyfG -> readonly user token : 2cPDNXw7OkWccP1pfzyNBW44zxrM2UtPnAqDHTw4 -> normal user token : Nn1PqRVBa6qodykQQfuDPqS0RuMWwllJbdV5l0AH -> -> call listOrganizationQuotaSuperUser by admin super user =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*= % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 ------------------------------ $ curl -k -X GET -H 'Content-Type: application/json' -H "Authorization: Bearer JSRudyKOLEHBM6fk0C5nwOAMoY9l1Kx25qBocyfG" https://quayregistry-quay-quay-enterprise.apps.whu414az49.qe.azure.devcluster.openshift.com/api/v1/superuser/users/user3/quota 100 179 100 179 0 0 179 0 0:00:01 --:--:-- 0:00:01 179 [ { "id": 1, "limit_bytes": 2147483648, "limit": "2.0 GiB", "default_config": false, "limits": [ { "id": 1, "type": "Warning", "limit_percent": 70 } ], "default_config_exists": false } ] =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*= -> super user token : JSRudyKOLEHBM6fk0C5nwOAMoY9l1Kx25qBocyfG -> readonly user token : 2cPDNXw7OkWccP1pfzyNBW44zxrM2UtPnAqDHTw4 -> normal user token : Nn1PqRVBa6qodykQQfuDPqS0RuMWwllJbdV5l0AH -> -> call listOrganizationQuotaSuperUser by read-only user =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*= ------------------------------ $ curl -k -X GET -H 'Content-Type: application/json' -H "Authorization: Bearer 2cPDNXw7OkWccP1pfzyNBW44zxrM2UtPnAqDHTw4" https://quayregistry-quay-quay-enterprise.apps.whu414az49.qe.azure.devcluster.openshift.com/api/v1/superuser/users/user3/quota % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 277 100 277 0 0 272 0 0:00:01 0:00:01 --:--:-- 272 { "detail": "Unauthorized", "error_message": "Unauthorized", "error_type": "insufficient_scope", "title": "insufficient_scope", "type": "https://quayregistry-quay-quay-enterprise.apps.whu414az49.qe.azure.devcluster.openshift.com/api/v1/error/insufficient_scope", "status": 403 } =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*= -> super user token : JSRudyKOLEHBM6fk0C5nwOAMoY9l1Kx25qBocyfG -> readonly user token : 2cPDNXw7OkWccP1pfzyNBW44zxrM2UtPnAqDHTw4 -> normal user token : Nn1PqRVBa6qodykQQfuDPqS0RuMWwllJbdV5l0AH -> -> call getRegistrySize by admin super user =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*= ------------------------------ $ curl -k -X GET -H 'Content-Type: application/json' -H "Authorization: Bearer JSRudyKOLEHBM6fk0C5nwOAMoY9l1Kx25qBocyfG" https://quayregistry-quay-quay-enterprise.apps.whu414az49.qe.azure.devcluster.openshift.com/api/v1/superuser/registrysize/ % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 71 100 71 0 0 70 0 0:00:01 0:00:01 --:--:-- 70 { "size_bytes": 0, "last_ran": null, "running": false, "queued": false } =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*= -> super user token : JSRudyKOLEHBM6fk0C5nwOAMoY9l1Kx25qBocyfG -> readonly user token : 2cPDNXw7OkWccP1pfzyNBW44zxrM2UtPnAqDHTw4 -> normal user token : Nn1PqRVBa6qodykQQfuDPqS0RuMWwllJbdV5l0AH -> -> call getRegistrySize by read-only user =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*= ------------------------------ $ curl -k -X GET -H 'Content-Type: application/json' -H "Authorization: Bearer 2cPDNXw7OkWccP1pfzyNBW44zxrM2UtPnAqDHTw4" https://quayregistry-quay-quay-enterprise.apps.whu414az49.qe.azure.devcluster.openshift.com/api/v1/superuser/registrysize/ % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 277 100 277 0 0 276 0 0:00:01 0:00:01 --:--:-- 276 { "detail": "Unauthorized", "error_message": "Unauthorized", "error_type": "insufficient_scope", "title": "insufficient_scope", "type": "https://quayregistry-quay-quay-enterprise.apps.whu414az49.qe.azure.devcluster.openshift.com/api/v1/error/insufficient_scope", "status": 403 } =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*= -> super user token : JSRudyKOLEHBM6fk0C5nwOAMoY9l1Kx25qBocyfG -> readonly user token : 2cPDNXw7OkWccP1pfzyNBW44zxrM2UtPnAqDHTw4 -> normal user token : Nn1PqRVBa6qodykQQfuDPqS0RuMWwllJbdV5l0AH -> -> call createServiceKey by admin super user =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*= ------------------------------ $ curl -k -X POST -H 'Content-Type: application/json' -H "Authorization: Bearer JSRudyKOLEHBM6fk0C5nwOAMoY9l1Kx25qBocyfG" --data '{"expiration":null,"name":"whukeytest","service":"whusvc"}' https://quayregistry-quay-quay-enterprise.apps.whu414az49.qe.azure.devcluster.openshift.com/api/v1/superuser/keys % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 2346 100 2288 100 58 2125 53 0:00:01 0:00:01 --:--:-- 2180 { "kid": "FLI_yzut8ywCkyVn7uqH9vCcNmkKVEkEiKyd_klLwMM", "name": "whukeytest", "private_key": "-----BEGIN RSA PRIVATE KEY-----\nMIIEowIBAAKCAQEAz9ulCNILdZxkKYncugnEFx5KdMRzEfhjS0UIJia48NFfC3+q\nxl+/X2ysyTu+6XE6mXBUlF3/1S92VLmdTpLmKkCK5zSpfXJPRJ/zRlAi/eTwqrMO\nVNTAZGGIVimie2M7bn4EEIip1R97PxOQ26Yyg57v4F7kNZZ+M3wFJReYJ9ywD2Y/\nqePn1xZ/DpOn5TUmmzik6Z8oTIMFtOhTJ/1nukPfqcnwtsb0O8pxhIIkxGqzr6jE\n8BbmjB0ko5KHfqCrwzoR0M6X+cAUA2gveCvUUlXR2czFvjG9X7Gi/R5JCAwwY9qn\neIhj6jwn3gHiFYkl7fwR++ecLwZ0vFFZIDN98QIDAQABAoIBAEue6lzaJgck3Z/r\nIx2f3fJXN9lhe0fHaUCCHePbZJ9gXMbPLK89OF+cJwSTMvK1Gg+muW69AA1sVg2e\n9ecXNJucnaxeEWetRb9+vcAP+ZsLRq+jswwT1ubuQO6v+QgQ4xdgy1PElJ0P9gPN\nt37h6TDPiw/DFh2U4dcTQL/s5JNjY5ULTbiLHF+d5SOrh/zw+y2YioIG+03MrYy2\nL2URFFJ05fDXv+XRcqaCYNJ32tUN39+QOiEBMSQHVeL/CQpyRWQQNo0HqBHmLzya\nvqAiH/fvdLro3WH8kRqKFQEHQZ80J5moK4L6tw+7oNmxZ3JHbdP0xVZ1rlNWlgVo\n+IV8a9ECgYEA9Tgr1QpA3+c5yIG8lmTyUn6hi6B+R4YC17q3BlcaUYzKgj6dSVvC\n6zy3xzinDT6/4heLJNtgxtrmJaTo6ZDbL3ws8vcSoAxIhQyJVlSrPevPXv+wgJ64\nPzCObbtWBXybKE2hFR6S5gYPEfOzWS8KT4StvbPf1ZXbIhY/Y2JCgsUCgYEA2P78\n+MKm1S/BLPCfJ3wxLQHN/tWl1F2qb7GXrOBX1eaY8BkollTZXJVpJb16KqgBzJYK\n3Ep9N3YdIbxfrqQXaOeSfNw5FaQyFteVV0Qy56gfhH0iGNW2bIKSb8AcIjDgzguO\nDD7xRY+KWc/eqlwm27NUm26u2uQPYa4v9aayUT0CgYBWP/KS1S9qUX7uektlro3Y\n3Ddf0Ax6hbU8Qa0casiUBGw6EWHrKn5NlSaiyNdg/kApetRzG0JXzyiB9xYBCPU/\nJ3L75lFDv+5F9dncZp1wgx+GL3LaWnk9qIuAJxMjjOdZ7qwIrJ9IjrsAOnJLnRMI\nUwd1IO5KxpGz1JVpFGeGbQKBgQCpdnE/IFzDzriRDRVt86o/2NHz+wu3jrKk6c9m\n/gj6jkzP7QXqaTca+8AS7idzGqPVDzRKF440evSDPSaIL7PshDS9eArIoONRPWlu\nrl8G1SBQCp1PQc9mbI5J4YDXHs7hetqjK6Cmz1Ofkhv1dWQPXbxsaoL5hPOSOENS\nF63YjQKBgAvrGWDciYX5UoGQNGU+5U5vtf2+u+iXr2TkrY9xwBqUp+nq9giVmk2Z\n6gSapRkE/CYUP2gyFs/GtgLFFXGEWQIc8fIVRx/FaOI4BIEXmO9iarTW7v0GPeHH\nomjw4ZT+VUueVLWV1j6f3KnnvJgOGBhz8auHfzTO39BQRSWFgYti\n-----END RSA PRIVATE KEY-----\n", "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAz9ulCNILdZxkKYncugnE\nFx5KdMRzEfhjS0UIJia48NFfC3+qxl+/X2ysyTu+6XE6mXBUlF3/1S92VLmdTpLm\nKkCK5zSpfXJPRJ/zRlAi/eTwqrMOVNTAZGGIVimie2M7bn4EEIip1R97PxOQ26Yy\ng57v4F7kNZZ+M3wFJReYJ9ywD2Y/qePn1xZ/DpOn5TUmmzik6Z8oTIMFtOhTJ/1n\nukPfqcnwtsb0O8pxhIIkxGqzr6jE8BbmjB0ko5KHfqCrwzoR0M6X+cAUA2gveCvU\nUlXR2czFvjG9X7Gi/R5JCAwwY9qneIhj6jwn3gHiFYkl7fwR++ecLwZ0vFFZIDN9\n8QIDAQAB\n-----END PUBLIC KEY-----\n", "service": "whusvc" } =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*= -> super user token : JSRudyKOLEHBM6fk0C5nwOAMoY9l1Kx25qBocyfG -> readonly user token : 2cPDNXw7OkWccP1pfzyNBW44zxrM2UtPnAqDHTw4 -> normal user token : Nn1PqRVBa6qodykQQfuDPqS0RuMWwllJbdV5l0AH -> -> call listServiceKeys by admin super user =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*= ------------------------------ $ curl -k -X GET -H 'Content-Type: application/json' -H "Authorization: Bearer JSRudyKOLEHBM6fk0C5nwOAMoY9l1Kx25qBocyfG" https://quayregistry-quay-quay-enterprise.apps.whu414az49.qe.azure.devcluster.openshift.com/api/v1/superuser/keys % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 4872 100 4872 0 0 4839 0 0:00:01 0:00:01 --:--:-- 4842 { "keys": [ { "approval": { "approval_type": "ServiceKeyApprovalType.AUTOMATIC", "approved_date": "Wed, 03 Jul 2024 01:58:01 GMT", "approver": null, "notes": "" }, "created_date": "Wed, 03 Jul 2024 01:58:01 GMT", ......... "n": "z9ulCNILdZxkKYncugnEFx5KdMRzEfhjS0UIJia48NFfC3-qxl-_X2ysyTu-6XE6mXBUlF3_1S92VLmdTpLmKkCK5zSpfXJPRJ_zRlAi_eTwqrMOVNTAZGGIVimie2M7bn4EEIip1R97PxOQ26Yyg57v4F7kNZZ-M3wFJReYJ9ywD2Y_qePn1xZ_DpOn5TUmmzik6Z8oTIMFtOhTJ_1nukPfqcnwtsb0O8pxhIIkxGqzr6jE8BbmjB0ko5KHfqCrwzoR0M6X-cAUA2gveCvUUlXR2czFvjG9X7Gi_R5JCAwwY9qneIhj6jwn3gHiFYkl7fwR--ecLwZ0vFFZIDN98Q" }, "kid": "FLI_yzut8ywCkyVn7uqH9vCcNmkKVEkEiKyd_klLwMM", "metadata": { "created_by": "Quay Superuser Panel", "creator": "whuquay", "ip": "10.128.2.5" }, "name": "whukeytest", "rotation_duration": null, "service": "whusvc" } ] } =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*= -> super user token : JSRudyKOLEHBM6fk0C5nwOAMoY9l1Kx25qBocyfG -> readonly user token : 2cPDNXw7OkWccP1pfzyNBW44zxrM2UtPnAqDHTw4 -> normal user token : Nn1PqRVBa6qodykQQfuDPqS0RuMWwllJbdV5l0AH -> -> call listServiceKeys by read-only user =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*= ------------------------------ $ curl -k -X GET -H 'Content-Type: application/json' -H "Authorization: Bearer 2cPDNXw7OkWccP1pfzyNBW44zxrM2UtPnAqDHTw4" https://quayregistry-quay-quay-enterprise.apps.whu414az49.qe.azure.devcluster.openshift.com/api/v1/superuser/keys % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 277 100 277 0 0 221 0 0:00:01 0:00:01 --:--:-- 221 { "detail": "Unauthorized", "error_message": "Unauthorized", "error_type": "insufficient_scope", "title": "insufficient_scope", "type": "https://quayregistry-quay-quay-enterprise.apps.whu414az49.qe.azure.devcluster.openshift.com/api/v1/error/insufficient_scope", "status": 403 } =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*= -> super user token : JSRudyKOLEHBM6fk0C5nwOAMoY9l1Kx25qBocyfG -> readonly user token : 2cPDNXw7OkWccP1pfzyNBW44zxrM2UtPnAqDHTw4 -> normal user token : Nn1PqRVBa6qodykQQfuDPqS0RuMWwllJbdV5l0AH -> -> call approveServiceKey by admin super user =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*= ------------------------------ $ curl -k -X POST -H 'Content-Type: application/json' -H "Authorization: Bearer JSRudyKOLEHBM6fk0C5nwOAMoY9l1Kx25qBocyfG" --data '{"notes":"aaaaa"}' https://quayregistry-quay-quay-enterprise.apps.whu414az49.qe.azure.devcluster.openshift.com/api/v1/superuser/approvedkeys/FLI_yzut8ywCkyVn7uqH9vCcNmkKVEkEiKyd_klLwMM % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 17 0 0 100 17 0 17 0:00:01 --:--:-- 0:00:01 17 =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*= -> super user token : JSRudyKOLEHBM6fk0C5nwOAMoY9l1Kx25qBocyfG -> readonly user token : 2cPDNXw7OkWccP1pfzyNBW44zxrM2UtPnAqDHTw4 -> normal user token : Nn1PqRVBa6qodykQQfuDPqS0RuMWwllJbdV5l0AH -> -> call getServiceKey by admin super user =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*= ------------------------------ $ curl -k -X GET -H 'Content-Type: application/json' -H "Authorization: Bearer JSRudyKOLEHBM6fk0C5nwOAMoY9l1Kx25qBocyfG" https://quayregistry-quay-quay-enterprise.apps.whu414az49.qe.azure.devcluster.openshift.com/api/v1/superuser/keys/FLI_yzut8ywCkyVn7uqH9vCcNmkKVEkEiKyd_klLwMM % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 1237 100 1237 0 0 934 0 0:00:01 0:00:01 --:--:-- 933 { "approval": { "approval_type": "ServiceKeyApprovalType.SUPERUSER", "approved_date": "Wed, 03 Jul 2024 08:16:30 GMT", "approver": { "avatar": { "color": "#6b6ecf", "hash": "369072bc5a39f354a0e8e431e15427764f9d02f7ff266b4b9adffbc0128bed65", "kind": "user", "name": "whuquay" }, "email": "quay+test@redhat.com", "enabled": true, "kind": "user", "name": "whuquay", "quota_report": { "backfill_status": "complete", "configured_quota": null, "quota_bytes": 0, "running_backfill": "complete" }, "quotas": [], "super_user": true, "username": "whuquay", "verified": true }, "notes": "" }, "created_date": "Wed, 03 Jul 2024 08:16:30 GMT", "expiration_date": null, "jwk": { "e": "AQAB", "kid": "FLI_yzut8ywCkyVn7uqH9vCcNmkKVEkEiKyd_klLwMM", "kty": "RSA", "n": "z9ulCNILdZxkKYncugnEFx5KdMRzEfhjS0UIJia48NFfC3-qxl-_X2ysyTu-6XE6mXBUlF3_1S92VLmdTpLmKkCK5zSpfXJPRJ_zRlAi_eTwqrMOVNTAZGGIVimie2M7bn4EEIip1R97PxOQ26Yyg57v4F7kNZZ-M3wFJReYJ9ywD2Y_qePn1xZ_DpOn5TUmmzik6Z8oTIMFtOhTJ_1nukPfqcnwtsb0O8pxhIIkxGqzr6jE8BbmjB0ko5KHfqCrwzoR0M6X-cAUA2gveCvUUlXR2czFvjG9X7Gi_R5JCAwwY9qneIhj6jwn3gHiFYkl7fwR--ecLwZ0vFFZIDN98Q" }, "kid": "FLI_yzut8ywCkyVn7uqH9vCcNmkKVEkEiKyd_klLwMM", "metadata": { "created_by": "Quay Superuser Panel", "creator": "whuquay", "ip": "10.128.2.5" }, "name": "whukeytest", "rotation_duration": null, "service": "whusvc" } =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*= -> super user token : JSRudyKOLEHBM6fk0C5nwOAMoY9l1Kx25qBocyfG -> readonly user token : 2cPDNXw7OkWccP1pfzyNBW44zxrM2UtPnAqDHTw4 -> normal user token : Nn1PqRVBa6qodykQQfuDPqS0RuMWwllJbdV5l0AH -> -> call getServiceKey by read-only user =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*= ------------------------------ $ curl -k -X GET -H 'Content-Type: application/json' -H "Authorization: Bearer 2cPDNXw7OkWccP1pfzyNBW44zxrM2UtPnAqDHTw4" https://quayregistry-quay-quay-enterprise.apps.whu414az49.qe.azure.devcluster.openshift.com/api/v1/superuser/keys/FLI_yzut8ywCkyVn7uqH9vCcNmkKVEkEiKyd_klLwMM % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 277 100 277 0 0 278 0 --:--:-- --:--:-- --:--:-- 278 { "detail": "Unauthorized", "error_message": "Unauthorized", "error_type": "insufficient_scope", "title": "insufficient_scope", "type": "https://quayregistry-quay-quay-enterprise.apps.whu414az49.qe.azure.devcluster.openshift.com/api/v1/error/insufficient_scope", "status": 403 }
Expected results
Global read-only super user call all superuser APIs successfully.
- is cloned by
-
PROJQUAY-7541 [redhat-3.11] Global read-only super user call some superuser APIs failed
- Closed
-
PROJQUAY-7542 [redhat-3.10] Global read-only super user call some superuser APIs failed
- Closed
- links to
-
RHBA-2024:136817 Red Hat Quay v3.12.1 bug fix release
- mentioned on