Bug 1960767

Summary: /metrics endpoint of the Grafana UI is accessible without authentication
Product: OpenShift Container Platform Reporter: Nikhil Joshi <nijoshi>
Component: MonitoringAssignee: Arunprasad Rajkumar <arajkuma>
Status: CLOSED ERRATA QA Contact: Junqi Zhao <juzhao>
Severity: low Docs Contact:
Priority: low    
Version: 3.11.0CC: alegrand, anpicker, aos-bugs, arajkuma, erooth, kakkoyun, lcosic, pkrupa, spasquie
Target Milestone: ---   
Target Release: 4.8.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-07-27 23:08:44 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
/metrics enpoint accessible none

Description Nikhil Joshi 2021-05-14 19:21:53 UTC
Created attachment 1783306 [details]
/metrics enpoint accessible

Description of problem:

IHAC who came up with security concerns regarding Red Hat OpenShift Container Platform v3.11.x Grafana webconsole.
2.  After they access the Grafana route and append it with /metrics , they find that the live memory stats and others stats are displayed without having to authenticate into Grafana. I also checked this in my cluster and the behavior is the same. Additionally, if the page is refreshed, the values of the stats also changes suggesting that these are LIVE numbers.
Also, this issue is present on v4.7
Version-Release number of selected component (if applicable):
3.11.x and also present on v4.7

Steps to Reproduce:
1. Append the Grafana UI URL with /metrics
2. Observe that the page opens without authnetication.
3. Also observe that on refreshing the page, the numbers are changes suggesting they are LIVE values

Actual results:
The /metrics endpoint is accessible to anyone without any authentication.

Expected results:
The /metrics endpoint should not be accessible without authentication.

Additional info:
Attached the result

Comment 6 Junqi Zhao 2021-05-25 08:55:56 UTC
tested with 4.8.0-0.nightly-2021-05-25-041803
grafana metrics endpoint is secured now, but alertmanager/prometheus/thanos-querier are not secured, see bug 1964334

Comment 9 errata-xmlrpc 2021-07-27 23:08:44 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:2438