Bug 1854479

Summary: User with view permissions on a project but without 'monitoring-rules-view' role can still view rules
Product: OpenShift Container Platform Reporter: Simon Pasquier <spasquie>
Component: MonitoringAssignee: Simon Pasquier <spasquie>
Status: CLOSED ERRATA QA Contact: Junqi Zhao <juzhao>
Severity: low Docs Contact:
Priority: unspecified    
Version: 4.6CC: alegrand, anpicker, erooth, kakkoyun, lcosic, mloibl, pkrupa, surbania
Target Milestone: ---   
Target Release: 4.6.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-10-27 16:12:46 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Simon Pasquier 2020-07-07 14:24:51 UTC
Description of problem:
A user with permissions to access the metrics in a given namespace can use the same endpoint to retrieve rules from the same namespace though no rule permissions have been granted for this user.

Version-Release number of selected component (if applicable):
4.6

How reproducible:
Always

Steps to Reproduce:
1. Login as a user with view permissions for a given namespace
2. Retrieve a token "oc whoami -t"
3. Start a shell inside the cluster
oc run tmp-shell --rm -i --tty --image centos -- /bin/bash
4. Query the tenancy-aware endpoint for rules from within the pod
curl -k -H "Authorization: Bearer <TOKEN>" https://thanos-querier.openshift-monitoring.svc:9093/api/v1/rules?namespace=openshift-monitoring

Actual results:
The curl command succeeds.

Expected results:
The request should be rejected.

Additional info:

Comment 5 Junqi Zhao 2020-08-19 07:48:48 UTC
tested with 4.6.0-0.nightly-2020-08-18-165040, issue is fixed.
verification steps
1. grant view permissions for openshift-monitoring namespace
# oc adm policy add-role-to-user view  testuser-12 -n openshift-monitoring

2. get the testuser-12 user token from https://${oauth-route}/oauth/token/display
3. query rules endpoint
# oc -n openshift-monitoring exec -c prometheus prometheus-k8s-1 -- curl -k -H "Authorization: Bearer sha256~M-8xmAIqcFsunNNx4d2hf-WX0Oi-C9E-bdibY3ApyNw"  https://thanos-querier.openshift-monitoring.svc:9093/api/v1/rules?namespace=openshift-monitoring
Forbidden (user=testuser-12, verb=get, resource=prometheusrules, subresource=)

Comment 6 Junqi Zhao 2020-08-19 08:40:20 UTC
add more tests
1. enable user workload, create prometheus rules under user namespace, and grant view permissions
# oc adm policy add-role-to-user  view testuser-12 -n ns1

2. query with the user token
# oc -n openshift-monitoring exec -c prometheus prometheus-k8s-0 -- curl -k -H "Authorization: Bearer sha256~bSo3NOkPb_r7h5dIUAuhcKIDkvTCdn8IMolATBJl2MU"  https://thanos-querier.openshift-monitoring.svc:9093/api/v1/rules?namespace=ns1
Forbidden (user=testuser-12, verb=get, resource=prometheusrules, subresource=)


3. grant monitoring-rules-view role to the same project and query again
# oc adm policy add-role-to-user monitoring-rules-view  testuser-12 -n ns1
# oc -n openshift-monitoring exec -c prometheus prometheus-k8s-0 -- curl -k -H "Authorization: Bearer sha256~bSo3NOkPb_r7h5dIUAuhcKIDkvTCdn8IMolATBJl2MU"  https://thanos-querier.openshift-monitoring.svc:9093/api/v1/rules?namespace=ns1 | jq
{
  "status": "success",
  "data": {
    "groups": [
          {
            "name": "TestAlert",
            "query": "vector(1)",
            "duration": 0,
            "labels": {
              "namespace": "ns1",
              "severity": "none"
            },
            "annotations": {
              "message": "This is an alert meant to ensure that the entire alerting pipeline is functional."
            },
            "alerts": [
              {
                "labels": {
                  "alertname": "TestAlert",
                  "namespace": "ns1",
                  "severity": "none"
                },
                "annotations": {
                  "message": "This is an alert meant to ensure that the entire alerting pipeline is functional."
                },
                "state": "firing",
                "activeAt": "2020-08-19T08:07:15.389025513Z",
                "value": "1e+00"
              }
            ],
            "health": "ok",
            "type": "alerting"
          }
        ],
        "interval": 15
      }
    ]
  }
}

Comment 8 errata-xmlrpc 2020-10-27 16:12:46 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4196