Bug 1473152 - [free-stg][free-int][starter-us-west/east] User should be able to control access whitelist for routes
[free-stg][free-int][starter-us-west/east] User should be able to control acc...
Status: CLOSED CURRENTRELEASE
Product: OpenShift Online
Classification: Red Hat
Component: Routing (Show other bugs)
3.x
Unspecified Unspecified
medium Severity medium
: ---
: ---
Assigned To: Miciah Dashiel Butler Masters
zhaozhanqi
: OnlineStarter
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-07-20 02:44 EDT by Meng Bo
Modified: 2017-11-09 13:46 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-11-09 13:46:33 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Meng Bo 2017-07-20 02:44:57 EDT
Description of problem:
Related OCP feature: https://trello.com/c/TbZPhHKE/21-3-route-security-management-by-end-user-ingress

User cannot control the access for route in free online env.


Version-Release number of selected component (if applicable):
v3.6.152.0

How reproducible:
always

Steps to Reproduce:
1. Create route
2. Set the access control by the env
oc annotate route route1 --overwrite haproxy.router.openshift.io/ip_whitelist='10.66.140.100'
3. Access the route with client IP which is not in the whitelist

Actual results:
Can access the route.

Expected results:
Should not be able to access.

Additional info:
Comment 1 Ben Bennett 2017-07-20 11:54:14 EDT
This is probably because the haproxy template is out of sync.
Comment 2 Abhishek Gupta 2017-09-08 13:26:31 EDT
Starter tier clusters now use the same default router template that ships with OCP. This issue should now be resolved.
Comment 3 zhaozhanqi 2017-09-11 03:07:03 EDT
Found free-int still using the custom template
        - name: TEMPLATE_FILE
          value: /var/lib/haproxy/conf/custom/haproxy-config.template

So please move this bug to ON_QA once it's upgrade, thanks
Comment 4 Meng Bo 2017-09-11 05:57:32 EDT
Hi Abhishek,

If we use the same template with the OCP one, how do we limit the function for some of the route like before? Eg, cannot create custom domain for some kind of routes.

Thanks.
Comment 5 Miciah Dashiel Butler Masters 2017-09-11 10:01:32 EDT
Hi Bo,

We will restrict custom domains by removing the policy rule that grants create access to the routes/custom-host resource.
Comment 7 Miciah Dashiel Butler Masters 2017-09-11 12:46:02 EDT
free-int and free-stg now should have the standard router template.
Comment 8 zhaozhanqi 2017-09-12 04:03:53 EDT
verified this bug on free-int (v3.7.0-0.104.0), free-stg(v3.6.173.0.5)

Note You need to log in before you can comment on or make changes to this bug.