Bug 1316216 - Logging is not restricted to to current owner/group of a namespace
Summary: Logging is not restricted to to current owner/group of a namespace
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Logging
Version: 3.1.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: ---
Assignee: ewolinet
QA Contact: chunchen
Depends On:
Blocks: OSOPS_V3 CVE-2016-2149
TreeView+ depends on / blocked
Reported: 2016-03-09 17:10 UTC by Wesley Hearn
Modified: 2018-04-27 03:05 UTC (History)
9 users (show)

Clone Of:
Last Closed: 2016-05-11 08:25:49 UTC

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:1023 normal SHIPPED_LIVE Red Hat OpenShift Enterprise 3.1 logging images bug fix update 2016-05-11 12:23:47 UTC
Red Hat Product Errata RHSA-2016:1064 normal SHIPPED_LIVE Important: Red Hat OpenShift Enterprise 3.2 security, bug fix, and enhancement update 2016-05-12 20:19:17 UTC

Internal Trackers: 1316271

Description Wesley Hearn 2016-03-09 17:10:35 UTC
Description of problem:
Users are able to access logs of a deleted namespace if recreated with the same name regardless if they were the previous owner.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. User A creates a namespace and populates logs
2. User A deletes namespace
3. User B creates a new namespace with the same name

Actual results:
User B can access logs from User A's namespace

Expected results:
User B should be restricted to logs generated from the pods he created in his new namespace.

Additional info:

Comment 1 Kurt Seifried 2016-03-09 20:36:36 UTC
Just a note, I linked the CVE bug for this here and made 1303130 depend on the CVE bug as well so you can easily track this.

Comment 5 Xia Zhao 2016-03-25 05:04:43 UTC
Tried to run the Deployer with, get this error:

# docker run brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/openshift3/logging-deployment:3.1.1-10 -i -t /bin/bash
exec: "./run.sh": permission denied
Error response from daemon: Cannot start container d4cc231345784c5abe12597aa59b777209cc5b9c8fafd62afac0c7d65d75a350: [8] System error: exec: "./run.sh": permission denied

This issue repro with deployer image 3.1.1-9, and 3.1.1-8 image is good:

#docker run brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/openshift3/logging-deployment:3.1.1-8 -i -t /bin/bash
+ dir=/etc/deploy
+ image_prefix=openshift/
+ image_version=latest
+ hostname=kibana.example.com
+ ops_hostname=kibana-ops.example.com

Comment 6 Xia Zhao 2016-03-25 06:10:32 UTC
Filed new issue https://bugzilla.redhat.com/show_bug.cgi?id=1321258. I will continue working on this after it is resolved.

Comment 7 Xia Zhao 2016-03-29 10:32:36 UTC
Encountered a new blocker https://bugzilla.redhat.com/show_bug.cgi?id=1321855 when verifying this with the latest logging images.Have to continue the work here after this got addressed.

Comment 8 Xia Zhao 2016-03-30 06:59:01 UTC
Blocked by https://bugzilla.redhat.com/show_bug.cgi?id=1322245

Comment 14 Xia Zhao 2016-04-05 09:53:44 UTC
Today I turned back to work with brew images on OSE 3.1, and reopened https://bugzilla.redhat.com/show_bug.cgi?id=1322245. This issue is currently blocked by here.

Comment 15 Xia Zhao 2016-04-06 03:58:35 UTC
Blocked by https://bugzilla.redhat.com/show_bug.cgi?id=1324280

Comment 16 Xia Zhao 2016-04-06 07:16:44 UTC
Blocked by https://bugzilla.redhat.com/show_bug.cgi?id=1324357

Comment 17 chunchen 2016-04-06 09:01:00 UTC
The bug id=1324357 is not a blocker now, tried with below latest logging images,the issue is fixed, so mark it as verified:

logging-deployment      3.1.1-12            1889baecfc21
logging-fluentd         3.1.1-9             6a4bfd80f3eb
logging-elasticsearch   3.1.1-9             c0901c52554b
logging-kibana          3.1.1-7             3ce38d905617
logging-auth-proxy      latest              3d6792a3aeed

Comment 18 Jeff Cantrill 2016-04-14 13:21:26 UTC
*** Bug 1326574 has been marked as a duplicate of this bug. ***

Comment 19 Troy Dawson 2016-04-26 19:04:51 UTC
We needed to rebuild logging-deployment, logging-fluentd, and logging-elasticsearch for security updates and they weren't originally built with signed packages.

Can you please retest these images


You should be able to use "latest" for everything else.

Comment 21 Xia Zhao 2016-04-28 03:09:41 UTC
Logs got shown on Kibana UI now and passed issue verification. Set to verified.

Comment 23 errata-xmlrpc 2016-05-11 08:25:49 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.