Bug 2034688

Summary: Allow Prometheus/Thanos to return 401 or 403 when the request isn't authenticated
Product: OpenShift Container Platform Reporter: Haoyu Sun <hasun>
Component: MonitoringAssignee: Haoyu Sun <hasun>
Status: CLOSED ERRATA QA Contact: hongyan li <hongyli>
Severity: medium Docs Contact:
Priority: low    
Version: 4.9CC: amuller, anpicker, aos-bugs
Target Milestone: ---   
Target Release: 4.11.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-08-10 10:41:05 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Haoyu Sun 2021-12-21 17:15:40 UTC 
Description of problem:
The openshift/origin test should allow Prometheus/Thanos to return 401 or 403 when the request isn't authenticated.

Version-Release number of selected component (if applicable):


How reproducible:
When CI testing the pull request https://github.com/openshift/cluster-monitoring-operator/pull/1512, the test results of ci/prow/e2e-agnostic, the test "[sig-instrumentation] Prometheus when installed on the cluster should start and expose a secured proxy and unsecured metrics" fails incorrectly: 
This test of calling Thanos querier root URL without authentication should return 401 unauthorized instead of 403 forbidden. The test code sends a request using the curl command curl -k -s -o /dev/null -w 403 https://thanos-querier.openshift-monitoring.svc:9091 without providing any information for authentication. A response with status code 401 should be expected. Same goes for the test "[sig-instrumentation][sig-builds][Feature:Builds] Prometheus when installed on the cluster should start and expose a secured proxy and verify build metrics", too.


Actual results:
The test "[sig-instrumentation] Prometheus when installed on the cluster should start and expose a secured proxy and unsecured metrics" accept HTTP code 403 only.

Expected results:
The test "[sig-instrumentation] Prometheus when installed on the cluster should start and expose a secured proxy and unsecured metrics" accept both HTTP codes 401 and  403.
Comment 5 hongyan li 2022-03-21 07:00:57 UTC 
The change is about a e2e test, not related to product.

I accessed thanos-queries api without access and get 403. 401 is also ok for error code definition.
$ host=$(oc -n openshift-monitoring get route thanos-querier -ojsonpath={.spec.host})
$ curl -k -L -o /dev/null -w %{http_code} "https://$host/api/v1/stores"
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 85124    0 85124    0     0  54899      0 --:--:--  0:00:01 --:--:-- 55275
403

Tried with payload
4.11.0-0.nightly-2022-03-20-160505
Comment 9 errata-xmlrpc 2022-08-10 10:41:05 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: OpenShift Container Platform 4.11.0 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:5069