Bug 1854479
| Summary: | User with view permissions on a project but without 'monitoring-rules-view' role can still view rules | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Simon Pasquier <spasquie> |
| Component: | Monitoring | Assignee: | Simon Pasquier <spasquie> |
| Status: | CLOSED ERRATA | QA Contact: | Junqi Zhao <juzhao> |
| Severity: | low | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 4.6 | CC: | alegrand, anpicker, erooth, kakkoyun, lcosic, mloibl, pkrupa, surbania |
| Target Milestone: | --- | ||
| Target Release: | 4.6.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-10-27 16:12:46 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Simon Pasquier
2020-07-07 14:24:51 UTC
tested with 4.6.0-0.nightly-2020-08-18-165040, issue is fixed. verification steps 1. grant view permissions for openshift-monitoring namespace # oc adm policy add-role-to-user view testuser-12 -n openshift-monitoring 2. get the testuser-12 user token from https://${oauth-route}/oauth/token/display 3. query rules endpoint # oc -n openshift-monitoring exec -c prometheus prometheus-k8s-1 -- curl -k -H "Authorization: Bearer sha256~M-8xmAIqcFsunNNx4d2hf-WX0Oi-C9E-bdibY3ApyNw" https://thanos-querier.openshift-monitoring.svc:9093/api/v1/rules?namespace=openshift-monitoring Forbidden (user=testuser-12, verb=get, resource=prometheusrules, subresource=) add more tests 1. enable user workload, create prometheus rules under user namespace, and grant view permissions # oc adm policy add-role-to-user view testuser-12 -n ns1 2. query with the user token # oc -n openshift-monitoring exec -c prometheus prometheus-k8s-0 -- curl -k -H "Authorization: Bearer sha256~bSo3NOkPb_r7h5dIUAuhcKIDkvTCdn8IMolATBJl2MU" https://thanos-querier.openshift-monitoring.svc:9093/api/v1/rules?namespace=ns1 Forbidden (user=testuser-12, verb=get, resource=prometheusrules, subresource=) 3. grant monitoring-rules-view role to the same project and query again # oc adm policy add-role-to-user monitoring-rules-view testuser-12 -n ns1 # oc -n openshift-monitoring exec -c prometheus prometheus-k8s-0 -- curl -k -H "Authorization: Bearer sha256~bSo3NOkPb_r7h5dIUAuhcKIDkvTCdn8IMolATBJl2MU" https://thanos-querier.openshift-monitoring.svc:9093/api/v1/rules?namespace=ns1 | jq { "status": "success", "data": { "groups": [ { "name": "TestAlert", "query": "vector(1)", "duration": 0, "labels": { "namespace": "ns1", "severity": "none" }, "annotations": { "message": "This is an alert meant to ensure that the entire alerting pipeline is functional." }, "alerts": [ { "labels": { "alertname": "TestAlert", "namespace": "ns1", "severity": "none" }, "annotations": { "message": "This is an alert meant to ensure that the entire alerting pipeline is functional." }, "state": "firing", "activeAt": "2020-08-19T08:07:15.389025513Z", "value": "1e+00" } ], "health": "ok", "type": "alerting" } ], "interval": 15 } ] } } Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:4196 |