Uploaded image for project: 'Project Quay'
  1. Project Quay
  2. PROJQUAY-8208

Quay returns 501 on repo/org creation when auth type is OIDC and restricted users are set

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • None
    • quay-v3.12.0
    • quay
    • False
    • None
    • False
    • Quay Enterprise

      When AUTHENTICATION_TYPE: OIDC is set in Quay's config.yaml file and FEATURE_RESTRICTED_USERS: true, creation of content inside organizations fail for everyone with a 501 Not Implemented error raised:

      gunicorn-web stdout | 2024-11-08 21:03:07,658 [262] [ERROR] [endpoints.decorated]
gunicorn-web stdout | Traceback (most recent call last):
gunicorn-web stdout |   File "/app/lib/python3.9/site-packages/flask/app.py", line 1484, in full_dispatch_request
gunicorn-web stdout |     rv = self.dispatch_request()
gunicorn-web stdout |   File "/app/lib/python3.9/site-packages/flask/app.py", line 1469, in dispatch_request
gunicorn-web stdout |     return self.ensure_sync(self.view_functions[rule.endpoint])(**view_args)
gunicorn-web stdout |   File "/quay-registry/endpoints/decorators.py", line 285, in wrapper
gunicorn-web stdout |     return func(*args, **kwargs)
gunicorn-web stdout |   File "/quay-registry/auth/decorators.py", line 68, in wrapper
gunicorn-web stdout |     return func(*args, **kwargs)
gunicorn-web stdout |   File "/quay-registry/util/request.py", line 64, in wrapper
gunicorn-web stdout |     return decorator(func)(*args, **kwargs)
gunicorn-web stdout |   File "/app/lib/python3.9/site-packages/flask_restful/utils/cors.py", line 35, in wrapped_function
gunicorn-web stdout |     resp = make_response(f(*args, **kwargs))
gunicorn-web stdout |   File "/quay-registry/endpoints/csrf.py", line 71, in wrapper
gunicorn-web stdout |     resp = func(*args, **kwargs)
gunicorn-web stdout |   File "/app/lib/python3.9/site-packages/flask_restful/__init__.py", line 489, in wrapper
gunicorn-web stdout |     resp = resource(*args, **kwargs)
gunicorn-web stdout |   File "/app/lib/python3.9/site-packages/flask/views.py", line 109, in view
gunicorn-web stdout |     return current_app.ensure_sync(self.dispatch_request)(**kwargs)
gunicorn-web stdout |   File "/app/lib/python3.9/site-packages/flask_restful/__init__.py", line 604, in dispatch_request
gunicorn-web stdout |     resp = meth(*args, **kwargs)
gunicorn-web stdout |   File "/quay-registry/endpoints/decorators.py", line 189, in wrapper
gunicorn-web stdout |     return func(*args, **kwargs)
gunicorn-web stdout |   File "/quay-registry/endpoints/decorators.py", line 164, in wrapper
gunicorn-web stdout |     return func(*args, **kwargs)
gunicorn-web stdout |   File "/quay-registry/endpoints/api/__init__.py", line 555, in wrapped
gunicorn-web stdout |     return func(*args, **kwargs)
gunicorn-web stdout |   File "/quay-registry/endpoints/api/__init__.py", line 589, in wrapped
gunicorn-web stdout |     return func(self, *args, **kwargs)
gunicorn-web stdout |   File "/quay-registry/endpoints/api/repository.py", line 145, in post
gunicorn-web stdout |     and usermanager.is_restricted_user(owner.username)
gunicorn-web stdout |   File "/quay-registry/data/users/__init__.py", line 406, in is_restricted_user
gunicorn-web stdout |     return self.state.is_restricted_user(username)
gunicorn-web stdout |   File "/quay-registry/data/users/__init__.py", line 441, in is_restricted_user
gunicorn-web stdout |     return self.federated_users.is_restricted_user(username)
gunicorn-web stdout |   File "/quay-registry/data/users/__init__.py", line 376, in is_restricted_user
gunicorn-web stdout |     return self.state.is_restricted_user(username)
gunicorn-web stdout |   File "/quay-registry/data/users/federated.py", line 144, in is_restricted_user
gunicorn-web stdout |     raise NotImplementedError()
gunicorn-web stdout | NotImplementedError
gunicorn-web stdout | 2024-11-08 21:03:07,660 [262] [DEBUG] [app] Ending request: urn:request:a8e3f3b4-c87a-4fd0-905a-0d5027cdc094 (/api/v1/repository) {'endpoint': 'api.repositorylist', 'request_id': 'urn:request:a8e3f3b4-c87a-4fd0-905a-0d5027cdc094', 'remote_addr': '172.24.0.1', 'http_method': 'POST', 'original_url': 'https://quay.skynet/api/v1/repository', 'path': '/api/v1/repository', 'parameters': {}, 'json_body': {'namespace': 'ibazulic', 'repository': 'test', 'visibility': 'public', 'description': '', 'repo_kind': 'image'}, 'confsha': 'f64440fe', 'user-agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36'}
gunicorn-web stdout | 2024-11-08 21:03:07,661 [262] [DEBUG] [data.database] Disconnecting from database.
gunicorn-web stdout | 2024-11-08 21:03:07,661 [262] [INFO] [gunicorn.access] 172.24.0.1 - - [08/Nov/2024:21:03:07 +0000] "POST /api/v1/repository HTTP/1.0" 501 20 "https://quay.skynet/organization/ibazulic" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36"

      This seems to stem from the fact that function is_restricted_user is not implemented for OIDC federation, so a 501 is returned.

              rhn-support-ibazulic Ivan Bazulic
              rhn-support-ibazulic Ivan Bazulic
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated: