-
Bug
-
Resolution: Unresolved
-
Blocker
-
None
-
quay-v3.16.0
-
False
-
-
False
-
-
Description:
This is an issue found in Quay 3.16.0, when Quay config "FEATURE_SUPERUSERS_FULL_ACCESS" is set to false, found both regular super user and global readonly super user can't access the logs of normal users' organization, in this condition, regular super user should not be able to access the the logs of normal users' organization, that's correct, but global readonly super user should be able access the logs of normal users' organization, pls review this issue.
Quay Config.yaml:
FEATURE_SUPERUSERS_FULL_ACCESS: false
SUPER_USERS:
- quay
- admin
GLOBAL_READONLY_SUPER_USERS:
- superglobalro
Quay: 3.16.0
Quay Global readonly super user can't access the logs of organization of normal user "tom001", that's not correct.
curl --location 'https://quayregistry-quay-quay-enterprise-15527.apps.quaytest-15527.qe.devcluster.openshift.com/api/v1/organization/quayqe/logs' \ --header 'Authorization: Bearer ******' -k | jq { "detail": "Unauthorized", "error_message": "Unauthorized", "error_type": "insufficient_scope", "title": "insufficient_scope", "type": "https://quayregistry-quay-quay-enterprise-15527.apps.quaytest-15527.qe.devcluster.openshift.com/api/v1/error/insufficient_scope", "status": 403 }
Quay regular super user can't access the logs of organization of normal user "tom001", that's correct.
curl --location 'https://quayregistry-quay-quay-enterprise-15527.apps.quaytest-15527.qe.devcluster.openshift.com/api/v1/organization/quayqe/logs' \ --header 'Authorization: Bearer ******' -k | jq { "detail": "Unauthorized", "error_message": "Unauthorized", "error_type": "insufficient_scope", "title": "insufficient_scope", "type": "https://quayregistry-quay-quay-enterprise-15527.apps.quaytest-15527.qe.devcluster.openshift.com/api/v1/error/insufficient_scope", "status": 403
- links to