Red Hat Bugzilla – Bug 1316216
Logging is not restricted to to current owner/group of a namespace
Last modified: 2018-04-26 23:05:39 EDT
Description of problem:
Users are able to access logs of a deleted namespace if recreated with the same name regardless if they were the previous owner.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. User A creates a namespace and populates logs
2. User A deletes namespace
3. User B creates a new namespace with the same name
User B can access logs from User A's namespace
User B should be restricted to logs generated from the pods he created in his new namespace.
Just a note, I linked the CVE bug for this here and made 1303130 depend on the CVE bug as well so you can easily track this.
Tried to run the Deployer with 18.104.22.168, get this error:
# docker run brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/openshift3/logging-deployment:3.1.1-10 -i -t /bin/bash
exec: "./run.sh": permission denied
Error response from daemon: Cannot start container d4cc231345784c5abe12597aa59b777209cc5b9c8fafd62afac0c7d65d75a350:  System error: exec: "./run.sh": permission denied
This issue repro with deployer image 3.1.1-9, and 3.1.1-8 image is good:
#docker run brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/openshift3/logging-deployment:3.1.1-8 -i -t /bin/bash
Filed new issue https://bugzilla.redhat.com/show_bug.cgi?id=1321258. I will continue working on this after it is resolved.
Encountered a new blocker https://bugzilla.redhat.com/show_bug.cgi?id=1321855 when verifying this with the latest logging images.Have to continue the work here after this got addressed.
Blocked by https://bugzilla.redhat.com/show_bug.cgi?id=1322245
Today I turned back to work with brew images on OSE 3.1, and reopened https://bugzilla.redhat.com/show_bug.cgi?id=1322245. This issue is currently blocked by here.
Blocked by https://bugzilla.redhat.com/show_bug.cgi?id=1324280
Blocked by https://bugzilla.redhat.com/show_bug.cgi?id=1324357
The bug id=1324357 is not a blocker now, tried with below latest logging images,the issue is fixed, so mark it as verified:
logging-deployment 3.1.1-12 1889baecfc21
logging-fluentd 3.1.1-9 6a4bfd80f3eb
logging-elasticsearch 3.1.1-9 c0901c52554b
logging-kibana 3.1.1-7 3ce38d905617
logging-auth-proxy latest 3d6792a3aeed
*** Bug 1326574 has been marked as a duplicate of this bug. ***
We needed to rebuild logging-deployment, logging-fluentd, and logging-elasticsearch for security updates and they weren't originally built with signed packages.
Can you please retest these images
You should be able to use "latest" for everything else.
Logs got shown on Kibana UI now and passed issue verification. Set to verified.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.