In Quay, how to delete a user from command line?

Environment

• Red Hat Quay
  • 3.8

Issue

• One logs in the Super User Admin Panel in Quay UI but upon clicking on users tab, no users are listed. The following message is displayed:
  Note: Red Hat Quay is configured to use external authentication, so users can only be created in that system. How to delete a user in Quay?

Resolution

• Use the below API to delete the affected user record. One will need to create an Oauth application under any organization that they are an admin of. This can be done by clicking on the org name and choosing "Applications" from the left side and then clicking on the button "Create app". Once the app is created, click on the app name and then click on "Generate token" on the left side (One can ignore all settings on the first page). Upon seeing a list of scopes, one must select the superuser and user scopes to be able to delete users.

Note:

1. The super user scope is shown for people who are designated as super users (ones who can see the superuser control panel). Confirm the settings and Quay will print out the bearer token.

2. Upon deleting the user, any repositories that this user had in his private account will become unavailable

       $ curl -X DELETE -H "Authorization: Bearer <insert token here>" https://QUAY_HOSTNAME/api/v1/superuser/users/NAME_OF_USER
   
       Example:
       $ curl -vvv -X DELETE -H "Authorization: Bearer xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" https://registry.example.com/api/v1/superuser/users/<username>
       *   Trying 10.25.x.x...
       * TCP_NODELAY set
       * Connected to registry.example.com (10.25.x.x) port 443 (#0)
       * ALPN, offering h2
       * ALPN, offering http/1.1
       * successfully set certificate verify locations:
       *   CAfile: /etc/ssl/cert.pem
       CApath: none
       * TLSv1.2 (OUT), TLS handshake, Client hello (1):
       * TLSv1.2 (IN), TLS handshake, Server hello (2):
       * TLSv1.2 (IN), TLS handshake, Certificate (11):
       * TLSv1.2 (IN), TLS handshake, Server key exchange (12):
       * TLSv1.2 (IN), TLS handshake, Server finished (14):
       * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
       * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
       * TLSv1.2 (OUT), TLS handshake, Finished (20):
       * TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
       * TLSv1.2 (IN), TLS handshake, Finished (20):
       * SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
       * ALPN, server accepted to use h2
       * Server certificate:
       *  subject: C=US; O=Cigna Test; OU=SSL; CN=registry.example.com
       *  start date: Dec  3 13:51:46 2022 GMT
       *  expire date: Mar  3 13:51:46 2023 GMT
       *  subjectAltName: host "registry.example.com" matched cert's "registry.example.com"
       *  issuer: DC=com; DC=silver; CN=SomeCA
       *  SSL certificate verify ok.
       * Using HTTP2, server supports multi-use
       * Connection state changed (HTTP/2 confirmed)
       * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
       * Using Stream ID: 1 (easy handle 0x7fa2d180d600)
       > DELETE /api/v1/superuser/users/<username> HTTP/2
       > Host: registry.example.com
       > User-Agent: curl/7.64.1
       > Accept: */*
       > Authorization: Bearer CIbrA6SjIPk1Oxxxxxxxxxxxxxxx
       > 
       * Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
       < HTTP/2 204 
       < server: nginx/1.20.1
       < date: Mon, 23 Jan 2023 20:07:30 GMT
       < access-control-allow-origin: *
       < access-control-allow-methods: HEAD, OPTIONS, PUT, DELETE, GET
       < access-control-max-age: 21600
       < access-control-allow-headers: AUTHORIZATION, CONTENT-TYPE, X-REQUESTED-WITH
       < x-frame-options: DENY
       < strict-transport-security: max-age=63072000; preload
       < 
       * Connection #0 to host registry.example.com left intact
       * Closing connection 0
   

Root Cause

• Due to a Quota bug, Web UI timeouts when loading users. At such times users are not accessible to perform any operations on.
• In LDAP authentication, userID is changed but email is same. Quay doesn't allow to create a new user with the old email address

Diagnostic Steps

• In Quay database, check if the user (say username3) is present/deleted using below command:

sh-4.4$  echo "SELECT username, password_hash FROM public.user" | psql -U quay-user -h 10.129.x.x quay-database
Password for user quay-user: 
xxxxxxxxxxx

 username     |                      password_hash                         
--------------+-----------------------------------------------------------------------------
username1     |        $2b$12$vsNkaanz.ds7XsH9sENRD.KQmolGgIeYCSIbl4QgdbO93c6QC6
username2     |        $2b$12$vsHTrrdscbnlppkhhBT543GjJJHHxapoiugjF$8jj&gdbKkR32EWq
(2 rows)

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.