Bug 1316216 - Logging is not restricted to to current owner/group of a namespace
Logging is not restricted to to current owner/group of a namespace
Product: OpenShift Container Platform
Classification: Red Hat
Component: Logging (Show other bugs)
Unspecified Unspecified
medium Severity medium
: ---
: ---
Assigned To: ewolinet
Depends On:
Blocks: OSOPS_V3 CVE-2016-2149
  Show dependency treegraph
Reported: 2016-03-09 12:10 EST by Wesley Hearn
Modified: 2018-04-26 23:05 EDT (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2016-05-11 04:25:49 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:1023 normal SHIPPED_LIVE Red Hat OpenShift Enterprise 3.1 logging images bug fix update 2016-05-11 08:23:47 EDT
Red Hat Product Errata RHSA-2016:1064 normal SHIPPED_LIVE Important: Red Hat OpenShift Enterprise 3.2 security, bug fix, and enhancement update 2016-05-12 16:19:17 EDT

  None (edit)
Description Wesley Hearn 2016-03-09 12:10:35 EST
Description of problem:
Users are able to access logs of a deleted namespace if recreated with the same name regardless if they were the previous owner.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. User A creates a namespace and populates logs
2. User A deletes namespace
3. User B creates a new namespace with the same name

Actual results:
User B can access logs from User A's namespace

Expected results:
User B should be restricted to logs generated from the pods he created in his new namespace.

Additional info:
Comment 1 Kurt Seifried 2016-03-09 15:36:36 EST
Just a note, I linked the CVE bug for this here and made 1303130 depend on the CVE bug as well so you can easily track this.
Comment 5 Xia Zhao 2016-03-25 01:04:43 EDT
Tried to run the Deployer with, get this error:

# docker run brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/openshift3/logging-deployment:3.1.1-10 -i -t /bin/bash
exec: "./run.sh": permission denied
Error response from daemon: Cannot start container d4cc231345784c5abe12597aa59b777209cc5b9c8fafd62afac0c7d65d75a350: [8] System error: exec: "./run.sh": permission denied

This issue repro with deployer image 3.1.1-9, and 3.1.1-8 image is good:

#docker run brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/openshift3/logging-deployment:3.1.1-8 -i -t /bin/bash
+ dir=/etc/deploy
+ image_prefix=openshift/
+ image_version=latest
+ hostname=kibana.example.com
+ ops_hostname=kibana-ops.example.com
Comment 6 Xia Zhao 2016-03-25 02:10:32 EDT
Filed new issue https://bugzilla.redhat.com/show_bug.cgi?id=1321258. I will continue working on this after it is resolved.
Comment 7 Xia Zhao 2016-03-29 06:32:36 EDT
Encountered a new blocker https://bugzilla.redhat.com/show_bug.cgi?id=1321855 when verifying this with the latest logging images.Have to continue the work here after this got addressed.
Comment 8 Xia Zhao 2016-03-30 02:59:01 EDT
Blocked by https://bugzilla.redhat.com/show_bug.cgi?id=1322245
Comment 14 Xia Zhao 2016-04-05 05:53:44 EDT
Today I turned back to work with brew images on OSE 3.1, and reopened https://bugzilla.redhat.com/show_bug.cgi?id=1322245. This issue is currently blocked by here.
Comment 15 Xia Zhao 2016-04-05 23:58:35 EDT
Blocked by https://bugzilla.redhat.com/show_bug.cgi?id=1324280
Comment 16 Xia Zhao 2016-04-06 03:16:44 EDT
Blocked by https://bugzilla.redhat.com/show_bug.cgi?id=1324357
Comment 17 chunchen 2016-04-06 05:01:00 EDT
The bug id=1324357 is not a blocker now, tried with below latest logging images,the issue is fixed, so mark it as verified:

logging-deployment      3.1.1-12            1889baecfc21
logging-fluentd         3.1.1-9             6a4bfd80f3eb
logging-elasticsearch   3.1.1-9             c0901c52554b
logging-kibana          3.1.1-7             3ce38d905617
logging-auth-proxy      latest              3d6792a3aeed
Comment 18 Jeff Cantrill 2016-04-14 09:21:26 EDT
*** Bug 1326574 has been marked as a duplicate of this bug. ***
Comment 19 Troy Dawson 2016-04-26 15:04:51 EDT
We needed to rebuild logging-deployment, logging-fluentd, and logging-elasticsearch for security updates and they weren't originally built with signed packages.

Can you please retest these images


You should be able to use "latest" for everything else.
Comment 21 Xia Zhao 2016-04-27 23:09:41 EDT
Logs got shown on Kibana UI now and passed issue verification. Set to verified.
Comment 23 errata-xmlrpc 2016-05-11 04:25:49 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.