Uploaded image for project: 'Project Quay'
  1. Project Quay
  2. PROJQUAY-9804

Quay 3.16.0 global readonly super user can't access the quota limit of normal user's organization when FEATURE_SUPERUSERS_FULL_ACCESS is false

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Blocker Blocker
    • None
    • quay-v3.16.0
    • quay
    • False
    • Hide

      None

      Show
      None
    • False

      Description:

      This is an issue found in Quay 3.16.0, when Quay config "FEATURE_SUPERUSERS_FULL_ACCESS" is set to false, found both regular super user and global readonly super user can't access the quota limit of normal users' organization, in this condition, regular super user should not be able to access the the quota limit of normal users' organization, that's correct, but global readonly super user should be able access the quota limit of normal users' organization, pls review this issue.

      Quay API Endpoints:

      1. /api/v1/organization/<orgname>/quota/<quota_id>/limit
      2. /api/v1/organization/<orgname>/quota/<quota_id>/limit/<limit_id>

      Quay Config.yaml:

      FEATURE_SUPERUSERS_FULL_ACCESS: false
SUPER_USERS:
  - quay
  - admin
GLOBAL_READONLY_SUPER_USERS:
  - superglobalro

      Quay: 3.16.0

      quay.io/redhat-user-workloads/quay-eng-tenant/stable-3-16-v4-20@sha256:4f68c641d2f34d665fc5696d33b702cf07be6a0cf8929fbcb33acd8973dda556

      Quay Global readonly super user can't access the quota limit of organization for normal user "tom001", that's not correct

      curl --location 'http://localhost:8080/api/v1/organization/tom001org/quota/1/limit' \
--header 'Authorization: Bearer *******' | jq
{
  "detail": "Unauthorized",
  "error_message": "Unauthorized",
  "error_type": "insufficient_scope",
  "title": "insufficient_scope",
  "type": "http://localhost/api/v1/error/insufficient_scope",
  "status": 403
}

      Quay Regular super user can't  access the quota limit of organization for normal user "tom001", that's correct

      curl --location 'http://localhost:8080/api/v1/organization/tom001org/quota/1/limit' \
--header 'Authorization: Bearer ******' | jq
{
  "detail": "Unauthorized",
  "error_message": "Unauthorized",
  "error_type": "insufficient_scope",
  "title": "insufficient_scope",
  "type": "http://localhost/api/v1/error/insufficient_scope",
  "status": 403
}

      Quay Normal User tom001 can access its own quota limit of organization

      curl --location 'http://localhost:8080/api/v1/organization/tom001org/quota/1/limit' \
--header 'Authorization: Bearer ******' | jq
[
  {
    "id": 1,
    "type": "Warning",
    "limit_percent": 80
  },
  {
    "id": 2,
    "type": "Reject",
    "limit_percent": 98
  }
]

              doconnor@redhat.com Dave O'Connor
              lzha1981 luffy zhang
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: