Bug 1316216 - Logging is not restricted to to current owner/group of a namespace
Logging is not restricted to to current owner/group of a namespace
Status: CLOSED ERRATA
Product: OpenShift Container Platform
Classification: Red Hat
Component: Logging (Show other bugs)
3.1.0
Unspecified Unspecified
medium Severity medium
: ---
: ---
Assigned To: ewolinet
chunchen
:
Depends On:
Blocks: OSOPS_V3 CVE-2016-2149
  Show dependency treegraph
 
Reported: 2016-03-09 12:10 EST by Wesley Hearn
Modified: 2018-04-26 23:05 EDT (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-05-11 04:25:49 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Wesley Hearn 2016-03-09 12:10:35 EST
Description of problem:
Users are able to access logs of a deleted namespace if recreated with the same name regardless if they were the previous owner.

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. User A creates a namespace and populates logs
2. User A deletes namespace
3. User B creates a new namespace with the same name

Actual results:
User B can access logs from User A's namespace

Expected results:
User B should be restricted to logs generated from the pods he created in his new namespace.

Additional info:
Comment 1 Kurt Seifried 2016-03-09 15:36:36 EST
Just a note, I linked the CVE bug for this here and made 1303130 depend on the CVE bug as well so you can easily track this.
Comment 5 Xia Zhao 2016-03-25 01:04:43 EDT
Tried to run the Deployer with 3.1.1.10, get this error:

# docker run brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/openshift3/logging-deployment:3.1.1-10 -i -t /bin/bash
exec: "./run.sh": permission denied
Error response from daemon: Cannot start container d4cc231345784c5abe12597aa59b777209cc5b9c8fafd62afac0c7d65d75a350: [8] System error: exec: "./run.sh": permission denied

This issue repro with deployer image 3.1.1-9, and 3.1.1-8 image is good:

#docker run brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/openshift3/logging-deployment:3.1.1-8 -i -t /bin/bash
+ dir=/etc/deploy
+ image_prefix=openshift/
+ image_version=latest
+ hostname=kibana.example.com
+ ops_hostname=kibana-ops.example.com
...
Comment 6 Xia Zhao 2016-03-25 02:10:32 EDT
Filed new issue https://bugzilla.redhat.com/show_bug.cgi?id=1321258. I will continue working on this after it is resolved.
Comment 7 Xia Zhao 2016-03-29 06:32:36 EDT
Encountered a new blocker https://bugzilla.redhat.com/show_bug.cgi?id=1321855 when verifying this with the latest logging images.Have to continue the work here after this got addressed.
Comment 8 Xia Zhao 2016-03-30 02:59:01 EDT
Blocked by https://bugzilla.redhat.com/show_bug.cgi?id=1322245
Comment 14 Xia Zhao 2016-04-05 05:53:44 EDT
Today I turned back to work with brew images on OSE 3.1, and reopened https://bugzilla.redhat.com/show_bug.cgi?id=1322245. This issue is currently blocked by here.
Comment 15 Xia Zhao 2016-04-05 23:58:35 EDT
Blocked by https://bugzilla.redhat.com/show_bug.cgi?id=1324280
Comment 16 Xia Zhao 2016-04-06 03:16:44 EDT
Blocked by https://bugzilla.redhat.com/show_bug.cgi?id=1324357
Comment 17 chunchen 2016-04-06 05:01:00 EDT
The bug id=1324357 is not a blocker now, tried with below latest logging images,the issue is fixed, so mark it as verified:

logging-deployment      3.1.1-12            1889baecfc21
logging-fluentd         3.1.1-9             6a4bfd80f3eb
logging-elasticsearch   3.1.1-9             c0901c52554b
logging-kibana          3.1.1-7             3ce38d905617
logging-auth-proxy      latest              3d6792a3aeed
Comment 18 Jeff Cantrill 2016-04-14 09:21:26 EDT
*** Bug 1326574 has been marked as a duplicate of this bug. ***
Comment 19 Troy Dawson 2016-04-26 15:04:51 EDT
We needed to rebuild logging-deployment, logging-fluentd, and logging-elasticsearch for security updates and they weren't originally built with signed packages.

Can you please retest these images

openshift3/logging-deployment:3.1.1-16
openshift3/logging-elasticsearch:3.1.1-10
openshift3/logging-fluentd:3.1.1-10

You should be able to use "latest" for everything else.
Comment 21 Xia Zhao 2016-04-27 23:09:41 EDT
Logs got shown on Kibana UI now and passed issue verification. Set to verified.
Comment 23 errata-xmlrpc 2016-05-11 04:25:49 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2016:1023

Note You need to log in before you can comment on or make changes to this bug.