Bug 1821771
| Summary: | anonymous browsers should get a 403 from / | |||
|---|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Luis Sanchez <sanchezl> | |
| Component: | apiserver-auth | Assignee: | Andrea Hoffer <ahoffer> | |
| Status: | CLOSED ERRATA | QA Contact: | scheng | |
| Severity: | high | Docs Contact: | ||
| Priority: | high | |||
| Version: | 4.4 | CC: | aos-bugs, bparees, jcallen, mfojtik, sttts, vareti, xxia | |
| Target Milestone: | --- | Keywords: | Reopened | |
| Target Release: | 4.6.0 | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | LifecycleReset | |||
| Fixed In Version: | Doc Type: | Release Note | ||
| Doc Text: |
In OpenShift release 4.1, an anonymous user could access discovery endpoints. Later releases revoked this access by removing unauthenticated subjects from cluster role bindings. Because of the way default policy resources are reconciled, unauthenticated access is preserved in upgrade clusters.
The ability to revoke this access after upgrading a cluster can be added to OpenShift. But, as doing that automatically would break existing use-cases, cluster administrators are given the ability to chose the best path forward based on their use case.
There could be up to five cluster role bindings in an OpenShift 4.6 cluster that give unauthenticated user access to discovery endpoints.
1. cluster-status-binding
2. discovery
3. system:basic-user
4. system:discovery
5. system:openshift:discovery
Cluster administrators can revoke unauthenticated access by using the below shell script. Please note that after running this snippet, an application that relied on unauthenticated behavior might start to receive HTTP 403 from the API Server.
## Snippet to remove unauthenticated group from all the cluster role bindings.
$ for clusterrolebinding in cluster-status-binding discovery system:basic-user system:discovery system:openshift:discovery ;
do
### Find the index of unauthenticated group in list of subjects
index=$(oc get clusterrolebinding ${clusterrolebinding} -o json | jq 'select(.subjects!=null) | .subjects | map(.name=="system:unauthenticated") | index(true)');
### Remove the element at index from subjects array
oc patch clusterrolebinding ${clusterrolebinding} --type=json --patch "[{'op': 'remove','path': '/subjects/$index'}]";
done
|
Story Points: | --- | |
| Clone Of: | ||||
| : | 1822681 1878095 (view as bug list) | Environment: | ||
| Last Closed: | 2020-10-27 15:57:47 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1878095, 1879650 | |||
|
Description
Luis Sanchez
2020-04-07 15:08:33 UTC
Related test failure: [It] [Top Level] [Feature:OpenShiftAuthorization] The default cluster RBAC policy should have correct RBAC rules [Suite:openshift/conformance/parallel] /go/src/github.com/openshift/origin/_output/local/go/src/github.com/openshift/origin/test/extended/authorization/rbac/groups_default_rules.go:163 STEP: should only allow the system:authenticated group to access certain policy rules STEP: should only allow the system:unauthenticated group to access certain policy rules Apr 7 06:36:18.550: FAIL: system:unauthenticated has extra permissions in namespace "": *** Bug 1821954 has been marked as a duplicate of this bug. *** This is by design of rbac reconciliation, and the switch to authenticated / and discovery endpoints. This is certainly no regression of 4.4 and therefore doubtfully a blocker. Moving back to 4.5, with backports, and priority high. Can I get an update on the progress of this bug? The fix needs to be backported to 4.4 to unblock upgrades. In my testing I found that this issue is present in 4.1->4.2 upgrade as well. I put up an PR that could potentially resolve the issue. Will work with Stefan and Standa to refine the PR and merged it. this bug is actively worked on. I will revisit this after finishing up my current tasks. I am planning to resume the work in this sprint. I am working on other high priority items. I will get to this bug next sprint. This bug hasn't had any activity in the last 30 days. Maybe the problem got resolved, was a duplicate of something else, or became less pressing for some reason - or maybe it's still relevant but just hasn't been looked at yet. As such, we're marking this bug as "LifecycleStale" and decreasing the severity/priority. If you have further information on the current state of the bug, please update it, otherwise this bug can be closed in about 7 days. The information can be, for example, that the problem still occurs, that you still want the feature, that more information is needed, or that the bug is (for whatever reason) no longer relevant. this bug had an update from the assignee less than 30 days ago, so the bot shouldn't have taken action. Michal is looking into it. Setting the priority back for now. Closing this issue. Issue as such is not reproduced in CI in the latest runs. Whatever failures present in ci search are due to network or io issues. pretty sure this isn't showing up because we disabled the test. Do you have evidence the test has actually passed in recent CI runs? Not to mention it should be very easy to test the actual behavior to see if it is correct: anonymous browser should get a 403 from /, getting 200 instead. is it? (the behavior only happens when you start from a 4.1 cluster and upgrade through to 4.5 or so, i don't think it happens if you just install a 4.5 cluster fresh) The LifecycleStale keyword was removed because the bug got commented on recently. The bug assignee was notified. re-opening the issue as this is still an issue. How can we fix the unit tests? Can we exclude clusters that come from 4.1? I am not sure how to do that. Let's check with Ben to see if it is possible. @Ben, Is it possible to exclude this test for clusters upgraded from 4.1? Please let us know if we have to talk to someone else regarding this. not that i'm aware of unless the test itself can determine the provenance of the cluster and then just make its own choice to pass the test (i'm not sure if there's anything in the cluster itself that indicates what version the cluster started out as?) i think cluster version resource contains the upgrade history. maybe we could use that in the test. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:4196 |