 Hello, my name is Benjamin Schmouse and I'm a Field Product Manager with Red Hat. Today, I want to talk about the Super User Full Access feature coming in Quay 3.8. In Quay 3.8, we are introducing the Super User Full Access feature. This configuration field grants Super Users the ability to read, write, and delete content from other repositories and namespaces that they do not own or have explicit permissions for. A couple of items to note about this feature in 3.8. This feature is only available in the beta UI. When enabled, it shows the organizations that the Super User has access to. To enable the beta UI, see the feature flag Feature UI Version 2 in the documentation. When the field is enabled, the Super User cannot view the image repository of every organization at once. This is actually a known limitation and will be fixed in future versions of Red Hat Quay. As a temporary workaround, the Super User can view image repositories by navigating to them from the organization page. So how do we enable this feature and how can we explore it? Let me go ahead and demonstrate that for you now. The next thing that we have to do is in our config yaml, we have to add a couple of component or flags. First is the Super Users field. That is a field that's been around before 3.8, and that's normally where you define your Super Users. In my example on the screen, we have Super Users defined as Quay Admin. The next thing that we have to do is introduce a feature flag called Feature Super Users Full Access. And go ahead and set that to True. As I mentioned before, in order to actually see the organizations, we're going to have to use the new UI. So in our config yaml, we'll also have to configure Feature UI Version 2 and set that to True as well. Once we've done that, we can go ahead and either deploy our Quay deployment, or go ahead and save the config file and redeploy our existing deployment. Now let's go ahead and log into Quay as a regular user. I'm going to go ahead and turn the new UI on by selecting the new UI button here. What I'm really going to focus on in this example is the OpenShift organization, because the OpenShift organization is owned specifically by the user OpenShift, which is what I'm logged in as right now. You can see I don't have any repos in there yet, so let's go ahead and put some repository information in there. So the first thing that I'm going to need to do is I'm going to need to log into my Quay registry from the command line. Once I'm logged in, let's go ahead and pull an image down that we can use, in this case Busybox. And I've gone ahead and pulled that image down to my workstation where I'm actually running these commands. And now I'm going to go ahead and I'm going to set the tag for Busybox so that I can push it up to my Quay registry. With the tag set, I'll go ahead and then push it up to my Quay registry. And once it's pushed up to my Quay registry, I'm going to go ahead and log out from the command line here. Now let's go back to the UI, and if we go ahead and just refresh this page, we can now see under OpenShift there is one repo. If we click into there, we can see it as our Busybox repo. And if we click into that, we can see it as the one that was tagged with test. So at this point, this repository is, again, specifically owned by OpenShift. What I'm going to do now is I'm going to go ahead and I'm going to sign out. Actually, though, I'm going to go ahead and switch the UI back to legacy first. And then I'm going to go ahead and sign out. And now I'm going to go ahead and log in as QuayAdmin. And then I'm going to go ahead and turn the new UI back on. And as you can see, the QuayAdmin can see the OpenShift repository of OpenShift. And he can go in there and he can see the Busybox repository. And he can go in and see that there is one image tagged for test. What I want to do though is I want to go back to the command line. And I want to go ahead and log in this time as the QuayAdmin from the command line. And once I'm logged in, I'm going to go ahead and I'm going to show you that I can pull that image from the OpenShift repository. And it comes down just fine. And now I'm going to go ahead and I'm going to tag it as a new image. So instead of test, I'm going to tag it as test1. And then I'm going to go ahead and push that back up there to the OpenShift repository. The one that I don't necessarily or wouldn't normally have rights to, but because, again, I've set the feature flag of QuaySuperUser having full access, I have access to everything. And so we'll go ahead and we'll push that image up. And notice it went up just fine. Let's go back to the OpenShift organization. And again, we can see that there's a Busybox repository. And now we've actually got two different tagged images in there. Test and test1, both of them having been pulled and pushed by my QuayAdmin user. And now if I wanted to, I can go ahead and I can actually delete these. And I'm just going to delete them one by one. So first we'll do the test1. We'll click delete and remove that. And then next we'll click the test1 and do that. Click delete. And now they're both gone. We'll go back to the OpenShift organization. And now I'm going to go ahead and delete the Busybox repository. And I'm going to delete that as well. Type in confirm to confirm that delete. And now there are no repositories underneath that organization. If we drop back to the command line again, of course I will go ahead and I'll push this test1 right back up there. But in this case it can't do it because the repository or the organization is no longer known. Because I've gone ahead and removed the repository. So hopefully this gives you an example of how the SuperUser full access feature flag works. Again, it's designed to ensure that the SuperUser has the ability to see into all the repositories within the Quay environment. Whereas in previous releases in order for the SuperUser to actually delete other content that it didn't have access to, it had to take ownership of that and then go ahead and delete that content. I hope you enjoyed this demo. Thank you very much. Bye-bye.