Uploaded image for project: 'Project Quay'
  1. Project Quay
  2. PROJQUAY-7449

Global read-only super user call some superuser APIs failed

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • quay-v3.12.1
    • quay-v3.12.0
    • quay

      Description of problem:

      After setting a user as global read-only super user,  this user call below superuser APIs failed.

      GET /api/v1/superuser/users/
      GET /api/v1/superuser/logs
      GET /api/v1/superuser/users/{namespace}/quota
      GET /api/v1/superuser/registrysize/
      GET /api/v1/superuser/keys
      GET /api/v1/superuser/keys/{kid}

      Version-Release number of selected component (if applicable):

      quay-operator-bundle-container-v3.12.0-16
      ------------------------------
      registry.redhat.io/quay/quay-rhel8@sha256:159d866d862b94cb954c1765393f963cd648b79892e8cc7a19a4df42f767c0cd
      ------------------------------
      registry.redhat.io/quay/quay-rhel8@sha256:d0735d2e3bf076ac5d4b0c68bf791c29a214b94ffbcc98f57aa6bb564649f204
      ------------------------------

      How reproducible:

      1. enable GLOBAL_READONLY_SUPER_USERS in quay config.yaml

      SUPER_USERS:
        - whuquay
      GLOBAL_READONLY_SUPER_USERS:
        - whuro 
      BROWSER_API_CALLS_XHR_ONLY: false
      FEATURE_UI_V2: true
      ........

      2. Create a normal user "user1" , a super user "whuquay" and a global read-only super user "whuro"

      3. log in quay by normal user "user1" and create a repository "user1_org/user1_repo"

      4  Call  build APIs by global read-only super user

      Actual results:

      Global read-only super user call some superuser APIs failed

      =========To test super user APIs by super user==========
      =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*=
      -> super user token    : JSRudyKOLEHBM6fk0C5nwOAMoY9l1Kx25qBocyfG
      -> readonly user token : 2cPDNXw7OkWccP1pfzyNBW44zxrM2UtPnAqDHTw4
      -> normal user token   : Nn1PqRVBa6qodykQQfuDPqS0RuMWwllJbdV5l0AH
      ->
      -> call createInstallUser by admin super user
      =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*=
      ------------------------------
      $ curl -k -X POST -H 'Content-Type: application/json' -H "Authorization: Bearer JSRudyKOLEHBM6fk0C5nwOAMoY9l1Kx25qBocyfG"  --data '{"username": "installuser"}' https://quayregistry-quay-quay-enterprise.apps.whu414az49.qe.azure.devcluster.openshift.com/api/v1/superuser/users/
        % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                       Dload  Upload   Total   Spent    Left  Speed
      100   252  100   225  100    27    166     19  0:00:01  0:00:01 --:--:--   186
      {
        "username": "installuser",
        "email": null,
        "password": "2E5VAAYH57XQQK1PXJMNUTJABQRU896R",
        "encrypted_password": "6Upk90Cwfrm6WwjmDK+ka6RdpVkSH0FFUX1rET/xTmOG7R9+glYr6zQK5Zi7EHfzlb6iW4R3xq5R5hmWRzZzl5w68kUq5bAIs5dlXK2729k="
      }
      =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*=
      -> super user token    : JSRudyKOLEHBM6fk0C5nwOAMoY9l1Kx25qBocyfG
      -> readonly user token : 2cPDNXw7OkWccP1pfzyNBW44zxrM2UtPnAqDHTw4
      -> normal user token   : Nn1PqRVBa6qodykQQfuDPqS0RuMWwllJbdV5l0AH
      ->
      -> call listAllUsers by admin super user
      =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*=
      ------------------------------
      $ curl -k -X GET -H "Content-Type: application/json" -H "Authorization: Bearer JSRudyKOLEHBM6fk0C5nwOAMoY9l1Kx25qBocyfG" https://quayregistry-quay-quay-enterprise.apps.whu414az49.qe.azure.devcluster.openshift.com/api/v1/superuser/users/
        % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                       Dload  Upload   Total   Spent    Left  Speed
      100  5283  100  5283    0     0   5025      0  0:00:01  0:00:01 --:--:--  5026
      {
        "users": [
          {
            "kind": "user",
            "name": "whuquay",
            "username": "whuquay",
            "email": "quay+test@redhat.com",
            "verified": true,
            "avatar": {
              "name": "whuquay",
              "hash": "369072bc5a39f354a0e8e431e15427764f9d02f7ff266b4b9adffbc0128bed65",
              "color": "#6b6ecf",
              "kind": "user"
            },
            "super_user": true,
            "enabled": true,
            "quotas": [],
            "quota_report": {
              "quota_bytes": 0,
              "configured_quota": null,
              "running_backfill": "complete",
              "backfill_status": "complete"
            }
          },
          
       .........
          {
            "kind": "user",
            "name": "installuser",
            "username": "installuser",
            "email": "05d7ce27-6328-44bc-bb00-19d4d2a3035f",
            "verified": true,
            "avatar": {
              "name": "installuser",
              "hash": "64417d7fe37741aaec44017cb17c8be8f103a240402b671741f0b43b6c1ebc18",
              "color": "#2ca02c",
              "kind": "user"
            },
            "super_user": false,
            "enabled": true,
            "quotas": [],
            "quota_report": {
              "quota_bytes": 0,
              "configured_quota": null,
              "running_backfill": "waiting",
              "backfill_status": "waiting"
            }
          }
        ]
      }
      =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*=
      -> super user token    : JSRudyKOLEHBM6fk0C5nwOAMoY9l1Kx25qBocyfG
      -> readonly user token : 2cPDNXw7OkWccP1pfzyNBW44zxrM2UtPnAqDHTw4
      -> normal user token   : Nn1PqRVBa6qodykQQfuDPqS0RuMWwllJbdV5l0AH
      ->
      -> call listAllUsers by read-only user
      =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*=
      ------------------------------
      $ curl -k -X GET -H "Content-Type: application/json" -H "Authorization: Bearer 2cPDNXw7OkWccP1pfzyNBW44zxrM2UtPnAqDHTw4" https://quayregistry-quay-quay-enterprise.apps.whu414az49.qe.azure.devcluster.openshift.com/api/v1/superuser/users/
        % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                       Dload  Upload   Total   Spent    Left  Speed
      100   277  100   277    0     0    113      0  0:00:02  0:00:02 --:--:--   113
      {
        "detail": "Unauthorized",
        "error_message": "Unauthorized",
        "error_type": "insufficient_scope",
        "title": "insufficient_scope",
        "type": "https://quayregistry-quay-quay-enterprise.apps.whu414az49.qe.azure.devcluster.openshift.com/api/v1/error/insufficient_scope",
        "status": 403
      }
      =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*=
      -> super user token    : JSRudyKOLEHBM6fk0C5nwOAMoY9l1Kx25qBocyfG
      -> readonly user token : 2cPDNXw7OkWccP1pfzyNBW44zxrM2UtPnAqDHTw4
      -> normal user token   : Nn1PqRVBa6qodykQQfuDPqS0RuMWwllJbdV5l0AH
      ->
      -> call listAllLogs by admin super user
      =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*=
      ------------------------------
      $ curl -k -X GET -H "Content-Type: application/json" -H "Authorization: Bearer JSRudyKOLEHBM6fk0C5nwOAMoY9l1Kx25qBocyfG" https://quayregistry-quay-quay-enterprise.apps.whu414az49.qe.azure.devcluster.openshift.com/api/v1/superuser/logs
        % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                       Dload  Upload   Total   Spent    Left  Speed
      100 13075  100 13075    0     0  12951      0  0:00:01  0:00:01 --:--:-- 12958
      {
        "start_time": "Tue, 02 Jul 2024 08:16:23 -0000",
        "end_time": "Thu, 04 Jul 2024 08:16:23 -0000",
        "logs": [
          {
            "kind": "user_create",
            "metadata": {
              "email": null,
              "username": "installuser",
              "superuser": "whuquay",
              "oauth_token_id": 2,
              "oauth_token_application_id": "2NW37JCUFGGS3PZRNU1G",
              "oauth_token_application": "curl"
            },
            
      ........
                "name": "user1_org",
                "hash": "776804aac1b838e463c049cbbc27d9cbc73329e4cae93f11226fafe87e479888",
                "color": "#9c9ede",
                "kind": "org"
              }
            }
          }
        ],
        "next_page": "gAAAAABmhQjXQwyCu_z8vRzKjYvrfbtxcQI_HBo9IcXFkD3TxzJnbMbsuq2528mtrlMxcvFLIuXl3B82zLFD8sk52y670QFN7_OzFTffCJEJtA-AxufUqYSEPoJ1OmwBD9SpYY7raddWchwqqWX4EVAURzvH2U53ZiPk9-1PRrmvnrW0qLUOzj8KblcsKjt19O1cLfBcZmUkz2oOe3VoAzGkSWGM6uZ94Q=="
      }
      =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*=
      -> super user token    : JSRudyKOLEHBM6fk0C5nwOAMoY9l1Kx25qBocyfG
      -> readonly user token : 2cPDNXw7OkWccP1pfzyNBW44zxrM2UtPnAqDHTw4
      -> normal user token   : Nn1PqRVBa6qodykQQfuDPqS0RuMWwllJbdV5l0AH
      ->
      -> call listAllLogs by read-only user
      =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*=
      ------------------------------
      $ curl -k -X GET -H "Content-Type: application/json" -H "Authorization: Bearer 2cPDNXw7OkWccP1pfzyNBW44zxrM2UtPnAqDHTw4" https://quayregistry-quay-quay-enterprise.apps.whu414az49.qe.azure.devcluster.openshift.com/api/v1/superuser/logs
        % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                       Dload  Upload   Total   Spent    Left  Speed
      100   277  100   277    0     0    276      0  0:00:01  0:00:01 --:--:--   277
      {
        "detail": "Unauthorized",
        "error_message": "Unauthorized",
        "error_type": "insufficient_scope",
        "title": "insufficient_scope",
        "type": "https://quayregistry-quay-quay-enterprise.apps.whu414az49.qe.azure.devcluster.openshift.com/api/v1/error/insufficient_scope",
        "status": 403
      }
      =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*=
      -> super user token    : JSRudyKOLEHBM6fk0C5nwOAMoY9l1Kx25qBocyfG
      -> readonly user token : 2cPDNXw7OkWccP1pfzyNBW44zxrM2UtPnAqDHTw4
      -> normal user token   : Nn1PqRVBa6qodykQQfuDPqS0RuMWwllJbdV5l0AH
      ->
      -> call createOrganizationQuotaSuperUser by admin super user
      =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*=
      ------------------------------
      $ curl -k -X POST -H 'Content-Type: application/json' -H "Authorization: Bearer JSRudyKOLEHBM6fk0C5nwOAMoY9l1Kx25qBocyfG"  --data '{"limit_bytes": 2147483648}' https://quayregistry-quay-quay-enterprise.apps.whu414az49.qe.azure.devcluster.openshift.com/api/v1/superuser/users/user3/quota
        % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                       Dload  Upload   Total   Spent    Left  Speed
      100   335  100   308  100    27    303     26  0:00:01  0:00:01 --:--:--   330
      {
        "detail": "Quota for 'user3' already exists",
        "error_message": "Quota for 'user3' already exists",
        "error_type": "invalid_request",
        "title": "invalid_request",
        "type": "https://quayregistry-quay-quay-enterprise.apps.whu414az49.qe.azure.devcluster.openshift.com/api/v1/error/invalid_request",
        "status": 400
      }
      =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*=
      -> super user token    : JSRudyKOLEHBM6fk0C5nwOAMoY9l1Kx25qBocyfG
      -> readonly user token : 2cPDNXw7OkWccP1pfzyNBW44zxrM2UtPnAqDHTw4
      -> normal user token   : Nn1PqRVBa6qodykQQfuDPqS0RuMWwllJbdV5l0AH
      ->
      -> call listOrganizationQuotaSuperUser by admin super user
      =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*=
        % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                       Dload  Upload   Total   Spent    Left  Speed
        0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
      ------------------------------
      $ curl -k -X GET -H 'Content-Type: application/json' -H "Authorization: Bearer JSRudyKOLEHBM6fk0C5nwOAMoY9l1Kx25qBocyfG"   https://quayregistry-quay-quay-enterprise.apps.whu414az49.qe.azure.devcluster.openshift.com/api/v1/superuser/users/user3/quota
      100   179  100   179    0     0    179      0  0:00:01 --:--:--  0:00:01   179
      [
        {
          "id": 1,
          "limit_bytes": 2147483648,
          "limit": "2.0 GiB",
          "default_config": false,
          "limits": [
            {
              "id": 1,
              "type": "Warning",
              "limit_percent": 70
            }
          ],
          "default_config_exists": false
        }
      ]
      =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*=
      -> super user token    : JSRudyKOLEHBM6fk0C5nwOAMoY9l1Kx25qBocyfG
      -> readonly user token : 2cPDNXw7OkWccP1pfzyNBW44zxrM2UtPnAqDHTw4
      -> normal user token   : Nn1PqRVBa6qodykQQfuDPqS0RuMWwllJbdV5l0AH
      ->
      -> call listOrganizationQuotaSuperUser by read-only  user
      =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*=
      ------------------------------
      $ curl -k -X GET -H 'Content-Type: application/json' -H "Authorization: Bearer 2cPDNXw7OkWccP1pfzyNBW44zxrM2UtPnAqDHTw4"   https://quayregistry-quay-quay-enterprise.apps.whu414az49.qe.azure.devcluster.openshift.com/api/v1/superuser/users/user3/quota
        % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                       Dload  Upload   Total   Spent    Left  Speed
      100   277  100   277    0     0    272      0  0:00:01  0:00:01 --:--:--   272
      {
        "detail": "Unauthorized",
        "error_message": "Unauthorized",
        "error_type": "insufficient_scope",
        "title": "insufficient_scope",
        "type": "https://quayregistry-quay-quay-enterprise.apps.whu414az49.qe.azure.devcluster.openshift.com/api/v1/error/insufficient_scope",
        "status": 403
      }
      =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*=
      -> super user token    : JSRudyKOLEHBM6fk0C5nwOAMoY9l1Kx25qBocyfG
      -> readonly user token : 2cPDNXw7OkWccP1pfzyNBW44zxrM2UtPnAqDHTw4
      -> normal user token   : Nn1PqRVBa6qodykQQfuDPqS0RuMWwllJbdV5l0AH
      ->
      -> call getRegistrySize by admin super user
      =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*=
      ------------------------------
      $ curl -k -X GET -H 'Content-Type: application/json' -H "Authorization: Bearer JSRudyKOLEHBM6fk0C5nwOAMoY9l1Kx25qBocyfG"   https://quayregistry-quay-quay-enterprise.apps.whu414az49.qe.azure.devcluster.openshift.com/api/v1/superuser/registrysize/
        % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                       Dload  Upload   Total   Spent    Left  Speed
      100    71  100    71    0     0     70      0  0:00:01  0:00:01 --:--:--    70
      {
        "size_bytes": 0,
        "last_ran": null,
        "running": false,
        "queued": false
      }
      =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*=
      -> super user token    : JSRudyKOLEHBM6fk0C5nwOAMoY9l1Kx25qBocyfG
      -> readonly user token : 2cPDNXw7OkWccP1pfzyNBW44zxrM2UtPnAqDHTw4
      -> normal user token   : Nn1PqRVBa6qodykQQfuDPqS0RuMWwllJbdV5l0AH
      ->
      -> call getRegistrySize by read-only user
      =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*=
      ------------------------------
      $ curl -k -X GET -H 'Content-Type: application/json' -H "Authorization: Bearer 2cPDNXw7OkWccP1pfzyNBW44zxrM2UtPnAqDHTw4"   https://quayregistry-quay-quay-enterprise.apps.whu414az49.qe.azure.devcluster.openshift.com/api/v1/superuser/registrysize/
        % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                       Dload  Upload   Total   Spent    Left  Speed
      100   277  100   277    0     0    276      0  0:00:01  0:00:01 --:--:--   276
      {
        "detail": "Unauthorized",
        "error_message": "Unauthorized",
        "error_type": "insufficient_scope",
        "title": "insufficient_scope",
        "type": "https://quayregistry-quay-quay-enterprise.apps.whu414az49.qe.azure.devcluster.openshift.com/api/v1/error/insufficient_scope",
        "status": 403
      }
      =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*=
      -> super user token    : JSRudyKOLEHBM6fk0C5nwOAMoY9l1Kx25qBocyfG
      -> readonly user token : 2cPDNXw7OkWccP1pfzyNBW44zxrM2UtPnAqDHTw4
      -> normal user token   : Nn1PqRVBa6qodykQQfuDPqS0RuMWwllJbdV5l0AH
      ->
      -> call createServiceKey by admin super user
      =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*=
      ------------------------------
      $ curl -k -X POST -H 'Content-Type: application/json' -H "Authorization: Bearer JSRudyKOLEHBM6fk0C5nwOAMoY9l1Kx25qBocyfG"  --data '{"expiration":null,"name":"whukeytest","service":"whusvc"}' https://quayregistry-quay-quay-enterprise.apps.whu414az49.qe.azure.devcluster.openshift.com/api/v1/superuser/keys
        % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                       Dload  Upload   Total   Spent    Left  Speed
      100  2346  100  2288  100    58   2125     53  0:00:01  0:00:01 --:--:--  2180
      {
        "kid": "FLI_yzut8ywCkyVn7uqH9vCcNmkKVEkEiKyd_klLwMM",
        "name": "whukeytest",
        "private_key": "-----BEGIN RSA PRIVATE KEY-----\nMIIEowIBAAKCAQEAz9ulCNILdZxkKYncugnEFx5KdMRzEfhjS0UIJia48NFfC3+q\nxl+/X2ysyTu+6XE6mXBUlF3/1S92VLmdTpLmKkCK5zSpfXJPRJ/zRlAi/eTwqrMO\nVNTAZGGIVimie2M7bn4EEIip1R97PxOQ26Yyg57v4F7kNZZ+M3wFJReYJ9ywD2Y/\nqePn1xZ/DpOn5TUmmzik6Z8oTIMFtOhTJ/1nukPfqcnwtsb0O8pxhIIkxGqzr6jE\n8BbmjB0ko5KHfqCrwzoR0M6X+cAUA2gveCvUUlXR2czFvjG9X7Gi/R5JCAwwY9qn\neIhj6jwn3gHiFYkl7fwR++ecLwZ0vFFZIDN98QIDAQABAoIBAEue6lzaJgck3Z/r\nIx2f3fJXN9lhe0fHaUCCHePbZJ9gXMbPLK89OF+cJwSTMvK1Gg+muW69AA1sVg2e\n9ecXNJucnaxeEWetRb9+vcAP+ZsLRq+jswwT1ubuQO6v+QgQ4xdgy1PElJ0P9gPN\nt37h6TDPiw/DFh2U4dcTQL/s5JNjY5ULTbiLHF+d5SOrh/zw+y2YioIG+03MrYy2\nL2URFFJ05fDXv+XRcqaCYNJ32tUN39+QOiEBMSQHVeL/CQpyRWQQNo0HqBHmLzya\nvqAiH/fvdLro3WH8kRqKFQEHQZ80J5moK4L6tw+7oNmxZ3JHbdP0xVZ1rlNWlgVo\n+IV8a9ECgYEA9Tgr1QpA3+c5yIG8lmTyUn6hi6B+R4YC17q3BlcaUYzKgj6dSVvC\n6zy3xzinDT6/4heLJNtgxtrmJaTo6ZDbL3ws8vcSoAxIhQyJVlSrPevPXv+wgJ64\nPzCObbtWBXybKE2hFR6S5gYPEfOzWS8KT4StvbPf1ZXbIhY/Y2JCgsUCgYEA2P78\n+MKm1S/BLPCfJ3wxLQHN/tWl1F2qb7GXrOBX1eaY8BkollTZXJVpJb16KqgBzJYK\n3Ep9N3YdIbxfrqQXaOeSfNw5FaQyFteVV0Qy56gfhH0iGNW2bIKSb8AcIjDgzguO\nDD7xRY+KWc/eqlwm27NUm26u2uQPYa4v9aayUT0CgYBWP/KS1S9qUX7uektlro3Y\n3Ddf0Ax6hbU8Qa0casiUBGw6EWHrKn5NlSaiyNdg/kApetRzG0JXzyiB9xYBCPU/\nJ3L75lFDv+5F9dncZp1wgx+GL3LaWnk9qIuAJxMjjOdZ7qwIrJ9IjrsAOnJLnRMI\nUwd1IO5KxpGz1JVpFGeGbQKBgQCpdnE/IFzDzriRDRVt86o/2NHz+wu3jrKk6c9m\n/gj6jkzP7QXqaTca+8AS7idzGqPVDzRKF440evSDPSaIL7PshDS9eArIoONRPWlu\nrl8G1SBQCp1PQc9mbI5J4YDXHs7hetqjK6Cmz1Ofkhv1dWQPXbxsaoL5hPOSOENS\nF63YjQKBgAvrGWDciYX5UoGQNGU+5U5vtf2+u+iXr2TkrY9xwBqUp+nq9giVmk2Z\n6gSapRkE/CYUP2gyFs/GtgLFFXGEWQIc8fIVRx/FaOI4BIEXmO9iarTW7v0GPeHH\nomjw4ZT+VUueVLWV1j6f3KnnvJgOGBhz8auHfzTO39BQRSWFgYti\n-----END RSA PRIVATE KEY-----\n",
        "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAz9ulCNILdZxkKYncugnE\nFx5KdMRzEfhjS0UIJia48NFfC3+qxl+/X2ysyTu+6XE6mXBUlF3/1S92VLmdTpLm\nKkCK5zSpfXJPRJ/zRlAi/eTwqrMOVNTAZGGIVimie2M7bn4EEIip1R97PxOQ26Yy\ng57v4F7kNZZ+M3wFJReYJ9ywD2Y/qePn1xZ/DpOn5TUmmzik6Z8oTIMFtOhTJ/1n\nukPfqcnwtsb0O8pxhIIkxGqzr6jE8BbmjB0ko5KHfqCrwzoR0M6X+cAUA2gveCvU\nUlXR2czFvjG9X7Gi/R5JCAwwY9qneIhj6jwn3gHiFYkl7fwR++ecLwZ0vFFZIDN9\n8QIDAQAB\n-----END PUBLIC KEY-----\n",
        "service": "whusvc"
      }
      =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*=
      -> super user token    : JSRudyKOLEHBM6fk0C5nwOAMoY9l1Kx25qBocyfG
      -> readonly user token : 2cPDNXw7OkWccP1pfzyNBW44zxrM2UtPnAqDHTw4
      -> normal user token   : Nn1PqRVBa6qodykQQfuDPqS0RuMWwllJbdV5l0AH
      ->
      -> call listServiceKeys by admin super user
      =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*=
      ------------------------------
      $ curl -k -X GET -H 'Content-Type: application/json' -H "Authorization: Bearer JSRudyKOLEHBM6fk0C5nwOAMoY9l1Kx25qBocyfG"   https://quayregistry-quay-quay-enterprise.apps.whu414az49.qe.azure.devcluster.openshift.com/api/v1/superuser/keys
        % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                       Dload  Upload   Total   Spent    Left  Speed
      100  4872  100  4872    0     0   4839      0  0:00:01  0:00:01 --:--:--  4842
      {
        "keys": [
          {
            "approval": {
              "approval_type": "ServiceKeyApprovalType.AUTOMATIC",
              "approved_date": "Wed, 03 Jul 2024 01:58:01 GMT",
              "approver": null,
              "notes": ""
            },
            "created_date": "Wed, 03 Jul 2024 01:58:01 GMT",
      .........
              "n": "z9ulCNILdZxkKYncugnEFx5KdMRzEfhjS0UIJia48NFfC3-qxl-_X2ysyTu-6XE6mXBUlF3_1S92VLmdTpLmKkCK5zSpfXJPRJ_zRlAi_eTwqrMOVNTAZGGIVimie2M7bn4EEIip1R97PxOQ26Yyg57v4F7kNZZ-M3wFJReYJ9ywD2Y_qePn1xZ_DpOn5TUmmzik6Z8oTIMFtOhTJ_1nukPfqcnwtsb0O8pxhIIkxGqzr6jE8BbmjB0ko5KHfqCrwzoR0M6X-cAUA2gveCvUUlXR2czFvjG9X7Gi_R5JCAwwY9qneIhj6jwn3gHiFYkl7fwR--ecLwZ0vFFZIDN98Q"
            },
            "kid": "FLI_yzut8ywCkyVn7uqH9vCcNmkKVEkEiKyd_klLwMM",
            "metadata": {
              "created_by": "Quay Superuser Panel",
              "creator": "whuquay",
              "ip": "10.128.2.5"
            },
            "name": "whukeytest",
            "rotation_duration": null,
            "service": "whusvc"
          }
        ]
      }
      =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*=
      -> super user token    : JSRudyKOLEHBM6fk0C5nwOAMoY9l1Kx25qBocyfG
      -> readonly user token : 2cPDNXw7OkWccP1pfzyNBW44zxrM2UtPnAqDHTw4
      -> normal user token   : Nn1PqRVBa6qodykQQfuDPqS0RuMWwllJbdV5l0AH
      ->
      -> call listServiceKeys by read-only user
      =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*=
      ------------------------------
      $ curl -k -X GET -H 'Content-Type: application/json' -H "Authorization: Bearer 2cPDNXw7OkWccP1pfzyNBW44zxrM2UtPnAqDHTw4"   https://quayregistry-quay-quay-enterprise.apps.whu414az49.qe.azure.devcluster.openshift.com/api/v1/superuser/keys
        % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                       Dload  Upload   Total   Spent    Left  Speed
      100   277  100   277    0     0    221      0  0:00:01  0:00:01 --:--:--   221
      {
        "detail": "Unauthorized",
        "error_message": "Unauthorized",
        "error_type": "insufficient_scope",
        "title": "insufficient_scope",
        "type": "https://quayregistry-quay-quay-enterprise.apps.whu414az49.qe.azure.devcluster.openshift.com/api/v1/error/insufficient_scope",
        "status": 403
      }
      =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*=
      -> super user token    : JSRudyKOLEHBM6fk0C5nwOAMoY9l1Kx25qBocyfG
      -> readonly user token : 2cPDNXw7OkWccP1pfzyNBW44zxrM2UtPnAqDHTw4
      -> normal user token   : Nn1PqRVBa6qodykQQfuDPqS0RuMWwllJbdV5l0AH
      ->
      -> call approveServiceKey by admin super user
      =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*=
      ------------------------------
      $ curl -k -X POST -H 'Content-Type: application/json' -H "Authorization: Bearer JSRudyKOLEHBM6fk0C5nwOAMoY9l1Kx25qBocyfG" --data '{"notes":"aaaaa"}'  https://quayregistry-quay-quay-enterprise.apps.whu414az49.qe.azure.devcluster.openshift.com/api/v1/superuser/approvedkeys/FLI_yzut8ywCkyVn7uqH9vCcNmkKVEkEiKyd_klLwMM
        % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                       Dload  Upload   Total   Spent    Left  Speed
      100    17    0     0  100    17      0     17  0:00:01 --:--:--  0:00:01    17
      =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*=
      -> super user token    : JSRudyKOLEHBM6fk0C5nwOAMoY9l1Kx25qBocyfG
      -> readonly user token : 2cPDNXw7OkWccP1pfzyNBW44zxrM2UtPnAqDHTw4
      -> normal user token   : Nn1PqRVBa6qodykQQfuDPqS0RuMWwllJbdV5l0AH
      ->
      -> call getServiceKey by admin super user
      =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*=
      ------------------------------
      $ curl -k -X GET -H 'Content-Type: application/json' -H "Authorization: Bearer JSRudyKOLEHBM6fk0C5nwOAMoY9l1Kx25qBocyfG"   https://quayregistry-quay-quay-enterprise.apps.whu414az49.qe.azure.devcluster.openshift.com/api/v1/superuser/keys/FLI_yzut8ywCkyVn7uqH9vCcNmkKVEkEiKyd_klLwMM
        % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                       Dload  Upload   Total   Spent    Left  Speed
      100  1237  100  1237    0     0    934      0  0:00:01  0:00:01 --:--:--   933
      {
        "approval": {
          "approval_type": "ServiceKeyApprovalType.SUPERUSER",
          "approved_date": "Wed, 03 Jul 2024 08:16:30 GMT",
          "approver": {
            "avatar": {
              "color": "#6b6ecf",
              "hash": "369072bc5a39f354a0e8e431e15427764f9d02f7ff266b4b9adffbc0128bed65",
              "kind": "user",
              "name": "whuquay"
            },
            "email": "quay+test@redhat.com",
            "enabled": true,
            "kind": "user",
            "name": "whuquay",
            "quota_report": {
              "backfill_status": "complete",
              "configured_quota": null,
              "quota_bytes": 0,
              "running_backfill": "complete"
            },
            "quotas": [],
            "super_user": true,
            "username": "whuquay",
            "verified": true
          },
          "notes": ""
        },
        "created_date": "Wed, 03 Jul 2024 08:16:30 GMT",
        "expiration_date": null,
        "jwk": {
          "e": "AQAB",
          "kid": "FLI_yzut8ywCkyVn7uqH9vCcNmkKVEkEiKyd_klLwMM",
          "kty": "RSA",
          "n": "z9ulCNILdZxkKYncugnEFx5KdMRzEfhjS0UIJia48NFfC3-qxl-_X2ysyTu-6XE6mXBUlF3_1S92VLmdTpLmKkCK5zSpfXJPRJ_zRlAi_eTwqrMOVNTAZGGIVimie2M7bn4EEIip1R97PxOQ26Yyg57v4F7kNZZ-M3wFJReYJ9ywD2Y_qePn1xZ_DpOn5TUmmzik6Z8oTIMFtOhTJ_1nukPfqcnwtsb0O8pxhIIkxGqzr6jE8BbmjB0ko5KHfqCrwzoR0M6X-cAUA2gveCvUUlXR2czFvjG9X7Gi_R5JCAwwY9qneIhj6jwn3gHiFYkl7fwR--ecLwZ0vFFZIDN98Q"
        },
        "kid": "FLI_yzut8ywCkyVn7uqH9vCcNmkKVEkEiKyd_klLwMM",
        "metadata": {
          "created_by": "Quay Superuser Panel",
          "creator": "whuquay",
          "ip": "10.128.2.5"
        },
        "name": "whukeytest",
        "rotation_duration": null,
        "service": "whusvc"
      }
      =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*=
      -> super user token    : JSRudyKOLEHBM6fk0C5nwOAMoY9l1Kx25qBocyfG
      -> readonly user token : 2cPDNXw7OkWccP1pfzyNBW44zxrM2UtPnAqDHTw4
      -> normal user token   : Nn1PqRVBa6qodykQQfuDPqS0RuMWwllJbdV5l0AH
      ->
      -> call getServiceKey by read-only user
      =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*=
      ------------------------------
      $ curl -k -X GET -H 'Content-Type: application/json' -H "Authorization: Bearer 2cPDNXw7OkWccP1pfzyNBW44zxrM2UtPnAqDHTw4"   https://quayregistry-quay-quay-enterprise.apps.whu414az49.qe.azure.devcluster.openshift.com/api/v1/superuser/keys/FLI_yzut8ywCkyVn7uqH9vCcNmkKVEkEiKyd_klLwMM
        % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                       Dload  Upload   Total   Spent    Left  Speed
      100   277  100   277    0     0    278      0 --:--:-- --:--:-- --:--:--   278
      {
        "detail": "Unauthorized",
        "error_message": "Unauthorized",
        "error_type": "insufficient_scope",
        "title": "insufficient_scope",
        "type": "https://quayregistry-quay-quay-enterprise.apps.whu414az49.qe.azure.devcluster.openshift.com/api/v1/error/insufficient_scope",
        "status": 403
      } 

      Expected results

      Global read-only super user call all superuser APIs successfully.

       

              bcaton@redhat.com Brandon Caton
              rhwhu Weihua Hu
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: