Skip to content

Bridge operator (nor Quay) doesn't apply default org permissions to repositories that it creates #109

New issue
New issue
Open
Open
Bridge operator (nor Quay) doesn't apply default org permissions to repositories that it creates#109
@domq

Description

@domq
domq
opened on Jan 26, 2024

It seems that Quay won't apply so-called “default” permissions to repositories created by a robot account; and quay-bridge-operator doesn't directly manipulate permissions either. Therefore, we appear to be left with a gap, whereby the only way to push and pull images to and from Quay is to manipulate permissions through the Quay UI, largely defeating the purpose of quay-bridge-operator.

Using Red Hat Quay Bridge Operator version 3.9 against OpenShift 4.13.12.

What I am trying to do vs. what happens:

  1. oc create namespace test-quay-bridge-1
    • Expected: quay-bridge-operator should (tell Quay to) create an Organization with three Robot Accounts fitted with suitable Permission Prototypes
    • Actual: ✓ (see: ¹)
  2. oc apply -f an-imagestream-in-that-namespace.yaml
    • Expected: quay-bridge-operator should (tell Quay to) create a Repository with suitable permissions for the above Robot Accounts
    • Actual: the Repository gets created indeed², but none of the aforementioned robot accounts have any rights to it³.

Now, I understand that there are workarounds that involve a number of clicks in the Quay UI by at least two different people; however, there used to be no need for that in OpenShift's internal registry (at least in version 3 that I have used).

Footnotes

¹ In Quay's Flask shell:

from data.database import (User, PermissionPrototype)
[dict(username=u.username, robot=u.robot, organization=u.organization)
      for u in User.select()
      if u.username.startswith("fsd_test-quay-bridge-1")]
[dict(who=p.delegate_user.username, what=p.role.name)
      for p in PermissionPrototype.select().join(User, on = PermissionPrototype.org)
                   .where(User.username == "fsd_test-quay-bridge-1")]

²

from data.database import Repository
Repository.select().where(Repository.name == "test-imagestream").first()

³

from data import model
[p for robot in ("fsd_test-quay-bridge-1+deployer", "fsd_test-quay-bridge-1+builder",
                         "fsd_test-quay-bridge-1+default")
    for p in model.permission.list_robot_permissions(robot)]

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions