Bug 1960767
| Summary: | /metrics endpoint of the Grafana UI is accessible without authentication | ||||||
|---|---|---|---|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Nikhil Joshi <nijoshi> | ||||
| Component: | Monitoring | Assignee: | Arunprasad Rajkumar <arajkuma> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Junqi Zhao <juzhao> | ||||
| Severity: | low | Docs Contact: | |||||
| Priority: | low | ||||||
| Version: | 3.11.0 | CC: | alegrand, anpicker, aos-bugs, arajkuma, erooth, kakkoyun, lcosic, pkrupa, spasquie | ||||
| Target Milestone: | --- | ||||||
| Target Release: | 4.8.0 | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | No Doc Update | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2021-07-27 23:08:44 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
tested with 4.8.0-0.nightly-2021-05-25-041803 grafana metrics endpoint is secured now, but alertmanager/prometheus/thanos-querier are not secured, see bug 1964334 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:2438 |
Created attachment 1783306 [details] /metrics enpoint accessible Description of problem: IHAC who came up with security concerns regarding Red Hat OpenShift Container Platform v3.11.x Grafana webconsole. 2. After they access the Grafana route and append it with /metrics , they find that the live memory stats and others stats are displayed without having to authenticate into Grafana. I also checked this in my cluster and the behavior is the same. Additionally, if the page is refreshed, the values of the stats also changes suggesting that these are LIVE numbers. Also, this issue is present on v4.7 Version-Release number of selected component (if applicable): 3.11.x and also present on v4.7 Steps to Reproduce: 1. Append the Grafana UI URL with /metrics 2. Observe that the page opens without authnetication. 3. Also observe that on refreshing the page, the numbers are changes suggesting they are LIVE values Actual results: The /metrics endpoint is accessible to anyone without any authentication. Expected results: The /metrics endpoint should not be accessible without authentication. Additional info: Attached the result