Bug 2030630

Summary: 400 Bad Request error for some queries for the non admin user
Product: OpenShift Container Platform Reporter: Jan Fajerski <jfajersk>
Component: MonitoringAssignee: Jan Fajerski <jfajersk>
Status: CLOSED ERRATA QA Contact: Junqi Zhao <juzhao>
Severity: medium Docs Contact:
Priority: medium    
Version: 4.9CC: amuller, anpicker, aos-bugs, erooth, juzhao, spasquie, viraj
Target Milestone: ---   
Target Release: 4.9.z   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 2024199 Environment:
Last Closed: 2022-03-29 07:16:22 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2024199    
Bug Blocks:    

Comment 1 Junqi Zhao 2022-01-20 04:40:14 UTC 
tested with the PR, still see the error, see from the picture.
Comment 3 Vikram Raj 2022-01-20 09:13:45 UTC 
Hi @juzhao, UI cherry-pick PR to 4.9.z is not yet merged. I think that is the reason you are still getting Forbidden errors in the Developer perspective Observe dashboard. BZ ticket for 4.9.z UI changes is https://bugzilla.redhat.com/show_bug.cgi?id=2026414
Comment 4 Jan Fajerski 2022-01-20 09:59:16 UTC 
The prometheus oauth-proxy container logs the following:

2022/01/20 09:50:08 provider.go:515: Permission denied for pm1 for check {"resource":"namespaces","scopes":[],"verb":"get"}
2022/01/20 09:50:08 oauthproxy.go:650: 10.131.0.9:58512 Permission Denied: user is unauthorized when redeeming token
2022/01/20 09:50:08 oauthproxy.go:445: ErrorPage 403 Permission Denied Invalid Account

Afaiu that is the correct behavior a user needs to be authorized to GET namespace resources.
Comment 5 Junqi Zhao 2022-01-21 02:06:27 UTC 
(In reply to Vikram Raj from comment #3)
> Hi @juzhao, UI cherry-pick PR to 4.9.z is not yet merged. I think
> that is the reason you are still getting Forbidden errors in the Developer
> perspective Observe dashboard. BZ ticket for 4.9.z UI changes is
> https://bugzilla.redhat.com/show_bug.cgi?id=2026414

we are testing with the PR, not test with the nightly payload which include the fix
Comment 6 Jan Fajerski 2022-03-18 09:48:29 UTC 
@juzhao Can you please check again with a user that has GET priviliges on namespaces. This should get you past the permission check 2022/01/20 09:50:08 provider.go:515: Permission denied for pm1 for check {"resource":"namespaces","scopes":[],"verb":"get"}
Comment 13 errata-xmlrpc 2022-03-29 07:16:22 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.9.26 bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:1022