Bug 1703501

Summary: Enable auth for metrics endpoint on service-ca-operator
Product: OpenShift Container Platform Reporter: Neelesh Agrawal <nagrawal>
Component: apiserver-authAssignee: Daniel Spangenberg <dspangen>
Status: CLOSED ERRATA QA Contact: Chuan Yu <chuyu>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 4.1.0CC: aos-bugs, dspangen, eparis
Target Milestone: ---   
Target Release: 4.1.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-04 10:48:05 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Neelesh Agrawal 2019-04-26 15:20:21 UTC 
Jira: https://jira.coreos.com/browse/AUTH-297

We should not emit metrics that are globally readable.  The operators should be easy to fix via the library-go code (re-enable delegated auth).

Service CA operator
Comment 1 Daniel Spangenberg 2019-04-30 16:14:50 UTC 
PR -  https://github.com/openshift/service-ca-operator/pull/54
Comment 3 Chuan Yu 2019-05-05 14:45:22 UTC 
Verified on 4.1.0-0.nightly-2019-05-04-210601

sh-4.2# curl -vk https://127.0.0.1:8443/metrics
* About to connect() to 127.0.0.1 port 8443 (#0)
*   Trying 127.0.0.1...
* Connected to 127.0.0.1 (127.0.0.1) port 8443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* NSS: client certificate not found (nickname not specified)
* SSL connection using TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
* Server certificate:
*       subject: CN=localhost
*       start date: May 05 04:31:15 2019 GMT
*       expire date: Jun 04 04:31:16 2019 GMT
*       common name: localhost
*       issuer: CN=service-ca-operator-signer@1557030674
> GET /metrics HTTP/1.1
> User-Agent: curl/7.29.0
> Host: 127.0.0.1:8443
> Accept: */*
> 
< HTTP/1.1 403 Forbidden
< Content-Type: application/json
< X-Content-Type-Options: nosniff
< Date: Sun, 05 May 2019 14:45:04 GMT
< Content-Length: 240
< 
{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {
    
  },
  "status": "Failure",
  "message": "forbidden: User \"system:anonymous\" cannot get path \"/metrics\"",
  "reason": "Forbidden",
  "details": {
    
  },
  "code": 403
* Connection #0 to host 127.0.0.1 left intact
Comment 5 errata-xmlrpc 2019-06-04 10:48:05 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:0758