Description of problem: Users are able to access logs of a deleted namespace if recreated with the same name regardless if they were the previous owner. Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1. User A creates a namespace and populates logs 2. User A deletes namespace 3. User B creates a new namespace with the same name Actual results: User B can access logs from User A's namespace Expected results: User B should be restricted to logs generated from the pods he created in his new namespace. Additional info:
Just a note, I linked the CVE bug for this here and made 1303130 depend on the CVE bug as well so you can easily track this.
Tried to run the Deployer with 3.1.1.10, get this error: # docker run brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/openshift3/logging-deployment:3.1.1-10 -i -t /bin/bash exec: "./run.sh": permission denied Error response from daemon: Cannot start container d4cc231345784c5abe12597aa59b777209cc5b9c8fafd62afac0c7d65d75a350: [8] System error: exec: "./run.sh": permission denied This issue repro with deployer image 3.1.1-9, and 3.1.1-8 image is good: #docker run brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/openshift3/logging-deployment:3.1.1-8 -i -t /bin/bash + dir=/etc/deploy + image_prefix=openshift/ + image_version=latest + hostname=kibana.example.com + ops_hostname=kibana-ops.example.com ...
Filed new issue https://bugzilla.redhat.com/show_bug.cgi?id=1321258. I will continue working on this after it is resolved.
Encountered a new blocker https://bugzilla.redhat.com/show_bug.cgi?id=1321855 when verifying this with the latest logging images.Have to continue the work here after this got addressed.
Blocked by https://bugzilla.redhat.com/show_bug.cgi?id=1322245
Today I turned back to work with brew images on OSE 3.1, and reopened https://bugzilla.redhat.com/show_bug.cgi?id=1322245. This issue is currently blocked by here.
Blocked by https://bugzilla.redhat.com/show_bug.cgi?id=1324280
Blocked by https://bugzilla.redhat.com/show_bug.cgi?id=1324357
The bug id=1324357 is not a blocker now, tried with below latest logging images,the issue is fixed, so mark it as verified: logging-deployment 3.1.1-12 1889baecfc21 logging-fluentd 3.1.1-9 6a4bfd80f3eb logging-elasticsearch 3.1.1-9 c0901c52554b logging-kibana 3.1.1-7 3ce38d905617 logging-auth-proxy latest 3d6792a3aeed
*** Bug 1326574 has been marked as a duplicate of this bug. ***
We needed to rebuild logging-deployment, logging-fluentd, and logging-elasticsearch for security updates and they weren't originally built with signed packages. Can you please retest these images openshift3/logging-deployment:3.1.1-16 openshift3/logging-elasticsearch:3.1.1-10 openshift3/logging-fluentd:3.1.1-10 You should be able to use "latest" for everything else.
Logs got shown on Kibana UI now and passed issue verification. Set to verified.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2016:1023