Bug 1881211

Summary: Unable to create silences as a user with `monitoring-edit` privileges
Product: OpenShift Container Platform Reporter: Paul Needle <pneedle>
Component: Dev ConsoleAssignee: Vikram Raj <viraj>
Status: CLOSED ERRATA QA Contact: Gajanan More <gamore>
Severity: high Docs Contact:
Priority: unspecified    
Version: 4.6CC: alegrand, anpicker, aos-bugs, erooth, kakkoyun, lcosic, mloibl, nmukherj, pkrupa, spadgett, spasquie, surbania
Target Milestone: ---   
Target Release: 4.6.0   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-10-27 16:43:35 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Paul Needle 2020-09-21 19:59:37 UTC 
Description of problem:

I am unable to create silences as a user with `monitoring-edit` privileges for a user-defined project.

Please let me know if I am missing a role prerequisite or a setup step.

Version-Release number of selected component (if applicable):

OCP 4.6.0-0.nightly

How reproducible:

Every time.

Steps to Reproduce:

1. Set up user workload monitoring on a newly installed OCP cluster by using the script in https://github.com/openshift/cluster-monitoring-operator/blob/master/hack/uwm_setup.sh.

2. Create a new user and assign them the following two roles:

a. Assign the `monitoring-edit` cluster role for the `ns1` project:

----
$ oc policy add-role-to-user monitoring-edit user4 -n ns1
Warning: User 'user4' not found
clusterrole.rbac.authorization.k8s.io/monitoring-edit added: "user4"
----

b. Assign the `admin` cluster role for the `ns1` project:

----
$ oc policy add-role-to-user admin user4 -n ns1
Warning: User 'user4' not found
clusterrole.rbac.authorization.k8s.io/admin added: "user4"
----

3. Log in to the OCP web console as the new `user4` user.

4. In the Developer perspective, navigate to Monitoring -> Alerts -> <alert_name> -> Project: ns1. In the scripted example the alert is called `VersionAlert`. The graph under 'Alert Details' on this page states 'An error occurred Forbidden', indicating that the user does not have the appropriate permissions to view that element.

5. Select 'Silence alert', add a comment and submit. The same 'An error occurred Forbidden' message appears, indicating that the user does not have the required permissions to create a silence in the `ns1` project.

Actual results:

A user with the `monitoring-edit` and `admin` cluster roles in the `ns1` project cannot:

* View the 'Alert Details' graph in the ns1 project
* Create silences in the `ns1` project

Expected results:

For the user to be able to do both of these things.
Comment 3 Simon Pasquier 2020-09-22 13:07:02 UTC 
I've managed to reproduce the issue and IIUC the problem is that the dev console uses the "admin" Alertmanager endpoint (https://alertmanager-main.openshift-monitoring.svc:9094) while it should use the tenancy-aware Alertmanager endpoint (https://alertmanager-main.openshift-monitoring.svc:9092). The former endpoint is protected by oauth-proxy and requires permissions to get any namespace (e.g. cluster adminà while the latter is protected by kube-rbac-proxy, requires permissions to manage prometheusrules in the given namespace and expects a "namespace" query parameter.

Transferring to the Dev Console team.
Comment 4 Sergiusz Urbaniak 2020-09-24 10:43:17 UTC 
temporarily reassigning to me to help in the console backend proxy code.
Comment 5 Sergiusz Urbaniak 2020-09-24 10:55:52 UTC 
Reassigning to Vikram to take it from here for the frontend fix.
Comment 7 Andrew Pickering 2020-09-24 23:50:48 UTC 
Moving back to ASSIGNED because the frontend change for this fix is not yet implemented.
Comment 10 Gajanan More 2020-10-07 09:02:05 UTC 
Verified on:
Build: 4.6.0-0.nightly-2020-10-03-051134
Browser: Google Chrome Version 85.0.4183.102
Marking this as done
Comment 12 errata-xmlrpc 2020-10-27 16:43:35 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4196