Bug 1907480

Summary: `Active alerts` section throwing forbidden error for users.
Product: OpenShift Container Platform Reporter: Rahul Rajendran <rpalathi>
Component: Dev ConsoleAssignee: Vikram Raj <viraj>
Status: CLOSED ERRATA QA Contact: spathak <spathak>
Severity: medium Docs Contact:
Priority: medium    
Version: 4.6CC: aballant, aos-bugs, jkaur, nmukherj, spathak, viraj
Target Milestone: ---   
Target Release: 4.7.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-02-24 15:43:42 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1927800    
Attachments:
Description Flags
Screenshot from Dev-console.
none
`Active alerts` section not throwing forbidden error for users. none

Description Rahul Rajendran 2020-12-14 15:33:07 UTC 
Created attachment 1738987 [details]
Screenshot from Dev-console.

Description of problem:

After creating alert rules for user-namespaces, there is a `forbidden` error shown in the `Active alerts` section while viewing the alerting rule.

Version-Release number of selected component (if applicable):


How reproducible:

100 %

Steps to Reproduce:
1. Create a user having the roles `admin`, `monitoring-rules-view` and `monitoring-edit`in a namespace of a `user-workload monitoring` enabled cluster.

2. Create an alert rule in the namespace.

3. Check the `Active Alerts` section of the developer console (i.e Developer console --> Monitoring --> Alerts -->  View alerting Rule)

Actual results:
An error message showing `AN ERROR OCCURED      FORBIDDEN`

Expected results:
No error message should be shown.

Additional info:

This issues seems not be hitting for a user having cluster wide access.

The dev console proxies seems to be routed incorrectly.

~~~
right:
Request URL: https://console-openshift-console.apps.ci-ln-ypz5i9t-f76d1.origin-ci-int-gce.dev.openshift.com/api/prometheus-tenancy/api/v1/query_range?start=1607954842.998&end=1607956642.998&step=6&namespace=sur-project&query=version%7Bjob%3D%22prometheus-example-app%22%2Cnamespace%3D%22sur-project%22%7D+%3D%3D+0&timeout=30s

wrong:
Request URL: https://console-openshift-console.apps.ci-ln-ypz5i9t-f76d1.origin-ci-int-gce.dev.openshift.com/api/prometheus/api/v1/query_range?start=1607954825.049&end=1607956625.049&step=6&query=version%7Bjob%3D%22prometheus-example-app%22%2Cnamespace%3D%22sur-project%22%7D+%3D%3D+0&timeout=30
s

right:
Request URL: https://console-openshift-console.apps.ci-ln-ypz5i9t-f76d1.origin-ci-int-gce.dev.openshift.com/api/prometheus-tenancy/api/v1/rules?namespace=sur-project

wrong:
Request URL: https://console-openshift-console.apps.ci-ln-ypz5i9t-f76d1.origin-ci-int-gce.dev.openshift.com/api/prometheus/api/v1/rules
~~~


Please find the attachment for the screenshot of the error.
Comment 2 spathak@redhat.com 2021-01-21 09:57:22 UTC 
Created attachment 1749333 [details]
`Active alerts` section not throwing forbidden error for users.
Comment 3 spathak@redhat.com 2021-01-21 09:58:56 UTC 
Verified on build version: 4.7.0-0.nightly-2021-01-19-095812
Browser version: Chrome 84
Comment 5 Vikram Raj 2021-02-11 14:53:15 UTC 
Yes @jkaur, we are porting it to 4.6.
Comment 8 errata-xmlrpc 2021-02-24 15:43:42 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.7.0 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:5633
Comment 9 Red Hat Bugzilla 2023-09-15 00:53:00 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 500 days