Bug 1710868
| Summary: | Access to the ES root url / from a project's pod on Openshift 3.11 | |||
|---|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | hgomes | |
| Component: | Logging | Assignee: | Jeff Cantrill <jcantril> | |
| Status: | CLOSED ERRATA | QA Contact: | Anping Li <anli> | |
| Severity: | medium | Docs Contact: | ||
| Priority: | unspecified | |||
| Version: | 3.11.0 | CC: | agawand, aos-bugs, aprajapa, jcantril, rmeggins, sponnaga, vjaypurk | |
| Target Milestone: | --- | |||
| Target Release: | 3.11.z | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | Bug Fix | ||
| Doc Text: |
Cause: The permissions between 3.10(es2.x) and 3.11(es5.x) were locked down so that non-admin users were unable to access the root endpoints
Consequence: Non-admin users are unable to determine the es version by accessing the root endpoint
Fix: Add permissions so everyone is able to see the es version
Result: Access to the root endpoint is the same as from prior releases.
|
Story Points: | --- | |
| Clone Of: | ||||
| : | 1722959 (view as bug list) | Environment: | ||
| Last Closed: | 2019-07-23 19:56:23 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1722959, 1724341 | |||
|
Description
hgomes
2019-05-16 12:52:22 UTC
(In reply to hgomes from comment #0) > But as this behavior looks like a regression introduced in 3.11 a proper fix > seems suitable. Correction - it was technically not a regression - it was only an "accident" that the root "/" URL was readable in 3.10 and earlier. It was not part of the public API. The supported OpenShift logging EFK stack does not require permission to view "/". I'm not saying we won't fix it, but be careful about the use of the term "regression", and technically this is an RFE, not a bug. Are you able to tell me what role this SA had in 3.10 "system:serviceaccount:dbms-preprod:elastalert"? Looking at 3.10 action groups [1] and our declared permissions [2], there are none which match "cluster:monitor/main" unless the user/SA is in a role that can answer 'oc -n default auth can-i view pods/logs' [3] which would give them admin rights for ES. The alternative reasoning: * Maybe this endpoint was not guarded in 2.x * User manually adjusted the permissions for it to be open [1] https://github.com/openshift/origin-aggregated-logging/blob/release-3.10/elasticsearch/sgconfig/sg_action_groups.yml [2] https://github.com/fabric8io/openshift-elasticsearch-plugin/blob/2.4.4/src/test/resources/io/fabric8/elasticsearch/plugin/user_role_with_shared_kibana_index_with_unique.yml#L13 [3] https://github.com/openshift/origin-aggregated-logging/blob/master/docs/access-control.md In support of one of my theories I don't see the failed permission listed in the original values available [1] which makes me think it was originally unguarded [1] https://www.elastic.co/guide/en/shield/2.2/privileges-list.html#ref-actions-list Pass when using openshift3/ose-logging-elasticsearch5:v3.11.128 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:1753 The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days |