-
Bug
-
Resolution: Done
-
Blocker
-
None
-
quay-v3.16.0
-
False
-
-
False
-
-
Description:
This is an issue found in Quay 3.16.0, by disable the super user full access, found super user still has access to the pull statistics of normal user's image tag and manifest, that's not correct, actually when config "FEATURE_SUPERUSERS_FULL_ACCESS" is false, super user should not have the cross namespace permissions, pls review this issue.
Note: the same permission issue is also existed in API "https://quayregistry-quay-quay-enterprise-15526.apps.quaytest-15526.qe.devcluster.openshift.com/api/v1/organization/tom001org1"
Quay Config.yaml:
FEATURE_SUPER_USERS: true FEATURE_SUPERUSERS_FULL_ACCESS: false SUPER_USERS: - quay - admin GLOBAL_READONLY_SUPER_USERS: - superglobalro
Quay: 3.16.0
Note: Use the Oauth2 token of regular super user:
curl --location 'https://quayregistry-quay-quay-enterprise-15526.apps.quaytest-15526.qe.devcluster.openshift.com/api/v1/repository/tom001org1/demo/tag/v1.0/pull_statistics' \ --header 'Authorization: Bearer ******' -k | jq { "tag_name": "v1.0", "tag_pull_count": 3, "last_tag_pull_date": "Fri, 14 Nov 2025 07:18:58 -0000", "current_manifest_digest": "sha256:e7b94296b643aa40bde82cec1ca0ba4d9832e6c4a1f5cdfbb7214e8250309b80", "manifest_pull_count": 3, "last_manifest_pull_date": "Fri, 14 Nov 2025 07:20:49 -0000" }
curl --location 'https://quayregistry-quay-quay-enterprise-15526.apps.quaytest-15526.qe.devcluster.openshift.com/api/v1/repository/tom001org1/demo/manifest/sha256:e7b94296b643aa40bde82cec1ca0ba4d9832e6c4a1f5cdfbb7214e8250309b80/pull_statistics' --header 'Authorization: Bearer ******' -k | jq { "manifest_digest": "sha256:e7b94296b643aa40bde82cec1ca0ba4d9832e6c4a1f5cdfbb7214e8250309b80", "manifest_pull_count": 3, "last_manifest_pull_date": "Fri, 14 Nov 2025 07:20:49 -0000" }