1548640 – Cluster-admin users should be able to view _cat endpoints

Bug 1548640 - Cluster-admin users should be able to view _cat endpoints

Summary: Cluster-admin users should be able to view _cat endpoints

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Logging
Sub Component:
Version:	3.10.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	urgent
Severity:	urgent
Target Milestone:	---
Target Release:	3.11.z
Assignee:	Jeff Cantrill
QA Contact:	Anping Li
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1685792 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-02-24 05:48 UTC by Anping Li
Modified:	2021-09-09 13:16 UTC (History)
CC List:	11 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	Cause: Permission was defined incorrectly Consequence: admin users could not use the cluster endpoints Fix: Define the correct permission Result: admin users can use the _cat endpoints
Clone Of:
Environment:
Last Closed:	2019-04-11 05:38:22 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Github	openshift origin-aggregated-logging pull 1270	'None'	closed	fix 1548640. Cluster admins can use all cat endpoints	2021-02-11 06:02:18 UTC
Github	openshift origin-aggregated-logging pull 1537	'None'	closed	[release-3.11] bug 1679864. Allow cluster admins to retrieve indice list	2021-02-11 06:02:19 UTC
Red Hat Product Errata	RHBA-2019:0636	None	None	None	2019-04-11 05:38:28 UTC

Description Anping Li 2018-02-24 05:48:19 UTC

Description of problem:
The cluster-admin couldn't get _cat endpoints.

curl -vk -X GET -H "Authorization: Bearer $token"  "https://${URL}/_cat/indices?v"
curl -vk -X GET -H "Authorization: Bearer $token"  "https://${URL}/_cat/aliases?v"
curl -vk -X GET -H "Authorization: Bearer $token"  "https://${URL}/_cat/nodes?v"


The _cluster/health can be retrieved
curl -vk -X GET -H "Authorization: Bearer $token"  "https://${URL}/_cluster/health?pretty"

How reproducible:
always

Version-Release number of selected component (if applicable):
atomic-openshift-3.9.0-0.51.0.
logging-elasticsearch/images/v3.9.0-0.51.0.0"


Steps to Reproduce:
1. Deploy logging with openshift_logging_es_allow_external=True
2. Grant use1 cluster-admin roles
oc adm policy add-cluster-role-to-user cluster-admin  user1
3. Get the token and route
oc login -u user1
token=$(oc whoami -t)
URL=$(oc get route logging-es -o custom-columns=ROUTER:.spec.host  |grep -v 'ROUTER')

4. Access _cat endpoints using token
curl -vk -X GET -H "Authorization: Bearer $token"  "https://${URL}/_cat/indices?v"
curl -vk -X GET -H "Authorization: Bearer $token"  "https://${URL}/_cat/aliases?v"
curl -vk -X GET -H "Authorization: Bearer $token"  "https://${URL}/_cat/nodes?v"
5. Access _cluster endpoints
curl -vk -X GET -H "Authorization: Bearer $token"  "https://${URL}/_cluster/health?pretty"

Actual results:

Step 4: 
< HTTP/1.1 403 Forbidden
< Content-Type: application/json; charset=UTF-8
< Content-Length: 201
< Set-Cookie: b996a9a16827ba0b2128327e4995fdd9=b767e4df32faa957e433959b7a52398e; path=/; HttpOnly; Secure
< 

{"error":{"root_cause":[{"type":"security_exception","reason":"no permissions for cluster:monitor/state"}],"type":"security_exception","reason":"no permissions for cluster:monitor/state"},"status":403}


Step 5: 

< HTTP/1.1 200 OK
< Content-Type: application/json; charset=UTF-8
< Content-Length: 463
< Set-Cookie: b996a9a16827ba0b2128327e4995fdd9=b767e4df32faa957e433959b7a52398e; path=/; HttpOnly; Secure
< Cache-control: private
< 
{
  "cluster_name" : "logging-es",
  "status" : "green",
  "timed_out" : false,
  "number_of_nodes" : 1,
  "number_of_data_nodes" : 1,
  "active_primary_shards" : 8,
  "active_shards" : 8,
  "relocating_shards" : 0,
  "initializing_shards" : 0,
  "unassigned_shards" : 0,
  "delayed_unassigned_shards" : 0,
  "number_of_pending_tasks" : 0,
  "number_of_in_flight_fetch" : 0,
  "task_max_waiting_in_queue_millis" : 0,
  "active_shards_percent_as_number" : 100.0
}


Expected results:

Step 4:  can return Elasticsearch Endpoints



Additional info:

Comment 1 Jeff Cantrill 2018-02-24 16:01:53 UTC

You may use 'oc exec -c elasticsearch $POD -- es_util --query=_cat/indices' which allows you to use the admin certs.  If you have cluster permissions then you have access to the pod which allows you access to these endpoints.

You may also need to simply update the rolesmapping document by rsh to the pod, update the document with the appropriate actions and then running 'es_seed_acl'.

@Eric,  thoughts on if this is something we missed and should allow and or change?

Lowering the priority as this is not a blocker

Comment 2 Rich Megginson 2018-02-26 20:48:19 UTC

Is this a regression?  If not, it is an RFE.

Comment 4 Jeff Cantrill 2018-08-01 20:41:04 UTC

https://github.com/openshift/origin-aggregated-logging/pull/1270

Comment 5 Jeff Cantrill 2018-08-01 20:43:03 UTC

# curl -k -H "Authorization: Bearer $token" https://172.30.250.118:9200/ -H"x-forwarded-for: 127.0.0.1"

or 

# curl -k -H "Authorization: Bearer $token" https://172.30.250.118:9200/_cat/indices -H"x-forwarded-for: 127.0.0.1"
yellow open project.kube-system.50884c2b-8f47-11e8-a173-525400c5b2ed.2018.07.31 R0svyTlISvqMlFKUzfjk9g 5 1      2 0  55.8kb  55.8kb
green  open .kibana.d033e22ae348aeb5660fc2140aec35850c4da997                    nH6UXiHyQvewZRzupdqkzg 1 0      5 0  54.9kb  54.9kb
yellow open .kibana                                                             095dIdIwSnqQhEc5XPg21g 1 1      1 0   3.2kb   3.2kb
green  open .operations.2018.08.01                                              CxdEmTeKSI2tRkgFdaZzcA 1 0  29786 0  44.1mb  44.1mb
green  open .searchguard                                                        yZc8mDnKTfiJW4BalFkHZg 1 0      0 0    67kb    67kb
green  open .operations.2058.09.22                                              JKYv9YDHQhWhtI3nvmIXIQ 1 0      3 0  19.1kb  19.1kb
yellow open project.kube-proxy.d0edea0d-945a-11e8-ad9b-525400c5b2ed.2018.07.31  38lwSa_OQJGpY36vpOXQ7A 5 1     16 0   163kb   163kb
yellow open project.kube-dns.d04f6a8a-945a-11e8-ad9b-525400c5b2ed.2018.07.31    w49FM3HiQLaIMe6PFLh-hA 5 1      8 0 123.3kb 123.3kb
yellow open .operations.2018.07.31                                              G19DbKGcRFeNyxS1fwdTIQ 5 1 180853 0 234.3mb 234.3mb
yellow open project.kube-system.ca5f63a5-945a-11e8-ad9b-525400c5b2ed.2018.07.31 ULT2hAF4S8KKxqJf9KkTtw 5 1  10129 0  12.1mb  12.1mb

Comment 9 Qiaoling Tang 2019-03-06 07:19:01 UTC

*** Bug 1685792 has been marked as a duplicate of this bug. ***

Comment 10 Shirly Radco 2019-03-06 08:38:20 UTC

This is a blocker for RHV release

Comment 21 errata-xmlrpc 2019-04-11 05:38:22 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:0636

Note You need to log in before you can comment on or make changes to this bug.