Description:
This is an issue found in Quay Global readonly super user, when disable the super user full access. found "global readonly super user" still have access to other normal user's resources, like organization, image repo, etc. Actually when set FEATURE_SUPERUSERS_FULL_ACCESS to false, "global readonly super user" should lose cross-namespace access.
Note: The same issue is also existed for regular super user.
Quay Opening PR: https://github.com/quay/quay/pull/4455
Quay Config.yaml:
FEATURE_SUPER_USERS: true FEATURE_SUPERUSERS_FULL_ACCESS: false
Steps:
- Create new normal user tom001 with new org, repo and tags
- Use the Oauth2 token of regular super user to access the above normal user's resources(e.g "http://localhost:8080/api/v1/repository/tom001org/tom001repo1"), the expected behavior is getting 403 error code
- Use the Oauth2 token of global readonly super user to access the above normal user's resources(e.g "http://localhost:8080/api/v1/repository/tom001org/tom001repo1"),the expected behavior is getting 403 error code
In the following example, use the Ouath2 token of global readonly super user "readonly" to access normal user tom001's image repo.
curl --location 'http://localhost:8080/api/v1/repository/tom001/demo' \ --header 'Authorization: Bearer ***' \ { "namespace": "tom001", "name": "demo", "kind": "image", "description": "", "is_public": true, "is_organization": false, "is_starred": false, "status_token": "", "trust_enabled": false, "tag_expiration_s": 1209600, "is_free_account": true, "state": "NORMAL", "tags": {}, "can_write": false, "can_admin": false }
- relates to
-
PROJQUAY-9693 Quay 3.16.0 super user access "/api/v1/superuser" hit 403 error with FEATURE_SUPERUSERS_FULL_ACCESS set to false
-
- Closed
-