Bug 1316216 - Logging is not restricted to to current owner/group of a namespace
Summary: Logging is not restricted to to current owner/group of a namespace
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Logging
Version: 3.1.0
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: ---
Assignee: ewolinet
QA Contact: chunchen
URL:
Whiteboard:
Keywords:
Depends On:
Blocks: OSOPS_V3 CVE-2016-2149
TreeView+ depends on / blocked
 
Reported: 2016-03-09 17:10 UTC by Wesley Hearn
Modified: 2018-04-27 03:05 UTC (History)
9 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2016-05-11 08:25:49 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:1023 normal SHIPPED_LIVE Red Hat OpenShift Enterprise 3.1 logging images bug fix update 2016-05-11 12:23:47 UTC
Red Hat Product Errata RHSA-2016:1064 normal SHIPPED_LIVE Important: Red Hat OpenShift Enterprise 3.2 security, bug fix, and enhancement update 2016-05-12 20:19:17 UTC

Internal Trackers: 1316271

Description Wesley Hearn 2016-03-09 17:10:35 UTC
Description of problem:
Users are able to access logs of a deleted namespace if recreated with the same name regardless if they were the previous owner.

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. User A creates a namespace and populates logs
2. User A deletes namespace
3. User B creates a new namespace with the same name

Actual results:
User B can access logs from User A's namespace

Expected results:
User B should be restricted to logs generated from the pods he created in his new namespace.

Additional info:

Comment 1 Kurt Seifried 2016-03-09 20:36:36 UTC
Just a note, I linked the CVE bug for this here and made 1303130 depend on the CVE bug as well so you can easily track this.

Comment 5 Xia Zhao 2016-03-25 05:04:43 UTC
Tried to run the Deployer with 3.1.1.10, get this error:

# docker run brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/openshift3/logging-deployment:3.1.1-10 -i -t /bin/bash
exec: "./run.sh": permission denied
Error response from daemon: Cannot start container d4cc231345784c5abe12597aa59b777209cc5b9c8fafd62afac0c7d65d75a350: [8] System error: exec: "./run.sh": permission denied

This issue repro with deployer image 3.1.1-9, and 3.1.1-8 image is good:

#docker run brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/openshift3/logging-deployment:3.1.1-8 -i -t /bin/bash
+ dir=/etc/deploy
+ image_prefix=openshift/
+ image_version=latest
+ hostname=kibana.example.com
+ ops_hostname=kibana-ops.example.com
...

Comment 6 Xia Zhao 2016-03-25 06:10:32 UTC
Filed new issue https://bugzilla.redhat.com/show_bug.cgi?id=1321258. I will continue working on this after it is resolved.

Comment 7 Xia Zhao 2016-03-29 10:32:36 UTC
Encountered a new blocker https://bugzilla.redhat.com/show_bug.cgi?id=1321855 when verifying this with the latest logging images.Have to continue the work here after this got addressed.

Comment 8 Xia Zhao 2016-03-30 06:59:01 UTC
Blocked by https://bugzilla.redhat.com/show_bug.cgi?id=1322245

Comment 14 Xia Zhao 2016-04-05 09:53:44 UTC
Today I turned back to work with brew images on OSE 3.1, and reopened https://bugzilla.redhat.com/show_bug.cgi?id=1322245. This issue is currently blocked by here.

Comment 15 Xia Zhao 2016-04-06 03:58:35 UTC
Blocked by https://bugzilla.redhat.com/show_bug.cgi?id=1324280

Comment 16 Xia Zhao 2016-04-06 07:16:44 UTC
Blocked by https://bugzilla.redhat.com/show_bug.cgi?id=1324357

Comment 17 chunchen 2016-04-06 09:01:00 UTC
The bug id=1324357 is not a blocker now, tried with below latest logging images,the issue is fixed, so mark it as verified:

logging-deployment      3.1.1-12            1889baecfc21
logging-fluentd         3.1.1-9             6a4bfd80f3eb
logging-elasticsearch   3.1.1-9             c0901c52554b
logging-kibana          3.1.1-7             3ce38d905617
logging-auth-proxy      latest              3d6792a3aeed

Comment 18 Jeff Cantrill 2016-04-14 13:21:26 UTC
*** Bug 1326574 has been marked as a duplicate of this bug. ***

Comment 19 Troy Dawson 2016-04-26 19:04:51 UTC
We needed to rebuild logging-deployment, logging-fluentd, and logging-elasticsearch for security updates and they weren't originally built with signed packages.

Can you please retest these images

openshift3/logging-deployment:3.1.1-16
openshift3/logging-elasticsearch:3.1.1-10
openshift3/logging-fluentd:3.1.1-10

You should be able to use "latest" for everything else.

Comment 21 Xia Zhao 2016-04-28 03:09:41 UTC
Logs got shown on Kibana UI now and passed issue verification. Set to verified.

Comment 23 errata-xmlrpc 2016-05-11 08:25:49 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2016:1023


Note You need to log in before you can comment on or make changes to this bug.