Bug 1703506

Summary: OAuth Server metrics endpoints should require auth
Product: OpenShift Container Platform Reporter: Neelesh Agrawal <nagrawal>
Component: apiserver-authAssignee: Mo <mkhan>
Status: CLOSED ERRATA QA Contact: scheng
Severity: medium Docs Contact:
Priority: unspecified    
Version: 4.1.0CC: aos-bugs, mkhan
Target Milestone: ---   
Target Release: 4.1.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1704822 (view as bug list) Environment:
Last Closed: 2019-06-04 10:48:05 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1704822    

Description Neelesh Agrawal 2019-04-26 15:32:55 UTC 
We should not emit metrics that are globally readable. 
Most critical metrics to protect are oauth related.
Goal will be to either protect those metrics or disable them.
Comment 3 Mo 2019-05-01 13:14:49 UTC 
https://github.com/openshift/origin/pull/22728
Comment 4 Mo 2019-05-01 13:17:34 UTC 
My PR correctly fixes the lack of auth on metrics and all other OAuth server endpoints that need it.  It does not disable metrics.
Comment 8 errata-xmlrpc 2019-06-04 10:48:05 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:0758