Prevent creating namespaces/orgs on pushes (CREATE_NAMESPACE_ON_PUSH)
if user is restricted.
Also updates RESTRICTED_USERS_WHITELIST to defaults to all if not set,
given that FEATURE_RESTRICTED_USERS is set.
When authenticating again a registry, if the www-authenticate header
doesn't specify a service, exclude it from the url
Signed-off-by: harishsurf <hgovinda@redhat.com>
- Similar to LDAP_SUPERUSER_FILTER, add a specific filter to define
restricted users, based on the LDAP_USER_FILTER
- restrict writes on restricted users' own namespace. Normal
permissions applies on organization membership
- add global readonly superuser GLOBAL_READONLY_SUPER_USERS (PROJQUAY-2604)
- Removes RESTRICTED_USER_INCLUDE_ROBOTS, FEATURE_RESTRICTED_READ_ONLY_USERS
* api: feature to limit org creation to superusers
Introduces the following configuration flags:
FEATURE_SUPERUSERS_ORG_CREATION_ONLY:
Limit org creation to superusers only
FEATURE_SUPERUSERS_FULL_ACCESS:
Grant superusers read/write access to registry content in all namespaces
FEATURE_RESTRICTED_USERS:
Users considered as restricted are not anle to create organization
RESTRICTED_USERS_WHITELIST:
Whitelist for FEATURE_RESTRICTED_USERS
RESTRICTED_USER_INCLUDE_ROBOTS:
Whether or not to include the user namespace's robots
RESTRICTED_USER_READ_ONLY:
Only allow read-only operations for restricted users
* Revert superuser repositorylist endpoint
* Update peewee types
Also remove tools/sharedimagestorage.py as it doesn't work anymore.
tools/sharedimagestorage.py:3: error: "ModelSelect[ImageStorage]" has no attribute "annotate"
* Remove endpoints/api/test/test_security.py from exclude list
* Format storage/test/test_azure.py
introduces a check of the OrganizationMemberPermission for pulls
against a proxy org.
if the proxy cache feature is disabled, or the org is not a proxy org
the check is not performed and Quay will behave normally.
this check does not mean pulls will work transparently though -
non-admin users need to be added to a team in the proxy org with the
member role, and default read and write permissions need to be given to
that team so that non-admin users can pull and update the cache for
images they do not own (the user who first pulls an image ends up
owning the repository since that is when the repo gets created).
* Quota: Configuring Quota for user panel
* Added Quota Consumed column on Super users panel
* Fixing tests
* Fixing tests
* Adding tests for user quota operations
* Reverting org api changes + new endpoint for super user get method
* Reverting changes
* Added tests
* Fetching user namespace or organization
Currently when Quay is set to automatically create organizations it will check the user table for a matching username with organization set to true. This causes conflicts when a user already exists with the same username, where the check will fail and Quay will attempt to create an organization with the same name as the user. This change checks for only a matching username.
* Quota API: Add super user permissions on Organization endpoints (PROJQUAY-3742)
* Removing super user permissions form userquota endpoints
* Adding super user permission checks
* Moving super user scope decorator to class level
* Quota: Show system default on UI when quota configuration for the org is not set (PROJQUAY-3518)
* Fixing formatting
* Added function to reduce redundancy and shortened warning message
* added missing parameter to function call
* Fixed organization quota consumption view
* Fixing formatting
* Checking for None before calling function
* Quota Management: Quota settings on Organization view needs to be read only (PROJQUAY-3622)
* Adding superuser permissions check on put and delete methods
* Reverting changes
* Reverting changes
* Tracking aws ip ranges.json
* Reverting change
* Added default quota limit + added error display div + fixed indentation + minor restructuring of html
* Add check for non-negative or zero quota
* Added Limit percent check. numbers between 1-100 only acceptable
* Show warning note if no quota limit is set
* Show warning if no Reject type limit is selected
* Adding Remove button to delete quota configuration
* If Reject does not exist add default reject quota limit + css
* Throw error if more than one Reject Limit Type
* Throw error on identical limits
* Fixing showing default limits
* Added Organization view settings
* Show Remove btn only if quota exists
* Fixing Remove modal pop up
* Quota Reporting if quota is not set
* Fixing Removing Quota for org
* Fixing super user and org admin permissions
* fix to checking default quota
* Added super user perms check on put, delete endpoints
* Fixing formatting
* Fixing multiple rejects checks + returing empty list instead of None
* Using super user API calls + hiding policy div till quota is set
* Added require_scpe and show_if decorators for super user permissions
* fixing configured quota check after return type changed from None to list
* api: update the quota api so that it's more consistent with the other apis (PROJQUAY-2936)
- Uodate the quota api to be more consistent with the rest of the
endpoints
- Handles some uncaught exceptions, such as division by zero
- Update some of the quota data models used by the api to take object
references instead of names to make it easier to use
- Update table model naming conventions
- swagger operationid multiple nicknames
- Added more test cases for api
- Remove unused functions
- Update the UI for better UX, based on the api changes made
* quota: fix ui input form value
* quota: join quota type query
* Remove unused functions
