Bug 2058424
Summary: | ConsolePlugin proxy always passes Authorization header even if `authorize` property is omitted or false | ||
---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | Mike Turley <mturley> |
Component: | Management Console | Assignee: | Jakub Hadvig <jhadvig> |
Status: | CLOSED ERRATA | QA Contact: | Xiyun Zhao <xiyuzhao> |
Severity: | high | Docs Contact: | |
Priority: | unspecified | ||
Version: | 4.10 | CC: | aos-bugs, spadgett, xiyuzhao |
Target Milestone: | --- | ||
Target Release: | 4.11.0 | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | No Doc Update | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2022-08-10 10:51:23 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 2059186 |
Description
Mike Turley
2022-02-24 21:40:01 UTC
See discussion on Slack here: https://coreos.slack.com/archives/C011BL0FEKZ/p1645734204061589 @ @spadgett seems to have found the root cause:
> I suspect this line always adds the header: https://github.com/openshift/console/blob/master/pkg/server/server.go#L541
> Potential fix, although I haven’t fully tested yet: https://github.com/openshift/console/pull/11102
This bug has been verified on payload 4.11.0-0.nightly-2022-03-20-160505 Verification Step: 1. Login OCP CLI and set up related resources by using the oc-manifest.yaml that provide by https://github.com/openshift/console/blob/master/dynamic-demo-plugin/oc-manifest.yaml. In this case, the authorize flag is omitted and will be setup as false automatically after resource being created $ oc apply -f oc-manifest.yaml 2. Check the details of the created console Plugin in YAML, verify if 'spec.proxy.authorize' is set up as false 3. Enable the plugin on Administration -> Cluster Settings -> Configuation Tab -> choose Console(operator.openshift.io) -> Console plugins Tab -> Enable the plugin by using the edit button on status column 4. Login to the Openshift UI, open the JavaScript console in browser's developer tools 5. Make a request to the proxy endpoint and include an Authorization header with own bearer token (or a fake one) and check the response. (replacing the URL with format /api/proxy/plugin/:pluginName/:proxyAlias/) fetch( 'https://console-openshift-console.apps.qe-daily-0323.qe.devcluster.openshift.com/api/proxy/plugin/console-demo-plugin/thanos-querier/', { headers: { Authorization: 'Bearer foo' } } ) .then((response) => response.json()) .then((data) => console.log(data)); 6. Verify the promiseState in the response is not 'rejected' Result: 2. 'spec.proxy.authorize' is set up as false automatically 6. the response of PromiseState is pending This bug has been verified on payload 4.11.0-0.nightly-2022-03-20-160505 Verification Step: 1. Login OCP CLI and set up related resources by using the oc-manifest.yaml that provide by https://github.com/openshift/console/blob/master/dynamic-demo-plugin/oc-manifest.yaml. In this case, the authorize flag is omitted and will be setup as false automatically after resource being created $ oc apply -f oc-manifest.yaml 2. Check the details of the created console Plugin in YAML, verify if 'spec.proxy.authorize' is set up as false 3. Enable the plugin on Administration -> Cluster Settings -> Configuation Tab -> choose Console(operator.openshift.io) -> Console plugins Tab -> Enable the plugin by using the edit button on status column 4. Login to the Openshift UI, open the JavaScript console in browser's developer tools 5. Navigate to the proxied URL https://my.console.ui.url/test-proxy-service,verify if any content can be shown under 'Proxy: consoleFetchJSON' 6. Make a request to the proxy endpoint and include an Authorization header with own bearer token (or a fake one) and check the response. (replacing the URL with format /api/proxy/plugin/:pluginName/:proxyAlias/) fetch( 'https://my.console.ui.url/api/proxy/plugin/console-demo-plugin/thanos-querier/', { headers: { Authorization: 'Bearer foo' } } ) .then((response) => response.json()) .then((data) => console.log(data)); 7. Verify the promiseState in the response is 'rejected' 8. Update authorize flag to true on the Administration -> Cluster Settings -> Configuation Tab -> choose Console(operator.openshift.io)Console plugins Tab -> Select and go to console Plugin details page -> Yaml Tab. Update authorize to true on spec.proxy.authorize 9. Repeat Step 6, Verify if user is able to open the page of https://my.console.ui.url/api/proxy/plugin/console-demo-plugin/thanos-querier/,and page can be loaded Result: 2. 'spec.proxy.authorize' is set up as false automatically 5. Page is load without any error, no content would be found under 'Proxy: consoleFetchJSON' section 6. The response of PromiseState is rejected on Chrome developer mode 9 Page is load without any error, and message as below can be found under 'Proxy.consoleFetchJSON' section { "status": "success", "data": { "groups": [ { "name": "CloudCredentialOperator", "file": "/etc/prometheus/rules/prometheus-k8s-rulefiles-0/openshift-cloud-credential-operator-cloud-credential-operator-alerts-53ea2bc2-d936-4ae8-80ee-082981bd0580.yaml", "rules": [ { "state": "inactive", "name": "CloudCredentialOperatorDeprovisioningFailed", "query": "cco_credentials_requests_conditions{condition=\"CredentialsDeprovisionFailure\"} > 0", "duration": 300, "labels": { "prometheus": "openshift-monitoring/k8s", "severity": "warning" }, "annotations": { "description": "While processing a CredentialsRequest marked for deletion, the Cloud Credential Operator encountered an issue. Check the conditions of all CredentialsRequests with 'oc get credentialsrequest -A' to find any CredentialsRequest(s) with a .status.condition showing a condition type of CredentialsDeprovisionFailure set to True for more details on the issue.", "message": "CredentialsRequest(s) unable to be cleaned up", "summary": "One or more CredentialsRequest CRs are unable to be deleted." Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Important: OpenShift Container Platform 4.11.0 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:5069 |