Bug 1703502 - Enable auth for metrics endpoint on cluster-authentication-operator
Summary: Enable auth for metrics endpoint on cluster-authentication-operator
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Auth
Version: 4.1.0
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
: 4.1.0
Assignee: Abu Kashem
QA Contact: Chuan Yu
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-04-26 15:22 UTC by Neelesh Agrawal
Modified: 2019-06-04 10:48 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-06-04 10:48:05 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:0758 None None None 2019-06-04 10:48:13 UTC

Description Neelesh Agrawal 2019-04-26 15:22:40 UTC
https://jira.coreos.com/browse/AUTH-298

We should not emit metrics that are globally readable.  The operators should be easy to fix via the library-go code (re-enable delegated auth).

Cluster Authentication Operator

Comment 1 Abu Kashem 2019-04-30 13:37:05 UTC
PR - https://github.com/openshift/cluster-authentication-operator/pull/123

I have done the following testing:

Make sure that /metrics endpoint is not accessible for an
unauthenticated user.
If I access the /metrics endpoint using curl as shown below I get the
following 403 error
curl -k https://$(kubectl get service metrics -o json | jq -r .spec.clusterIP)/metrics
"message": "forbidden: User "system:anonymous" cannot get path "/metrics"",
"reason": "Forbidden",

I checked 'prometheus-k8s-openshift-monitoring', looks like all
'AuthenticationOperator2_*' metrics are collected after delegated
auth is turned on.

Comment 4 Chuan Yu 2019-05-05 14:47:15 UTC
verified on 4.1.0-0.nightly-2019-05-04-210601

sh-4.4# curl -k https://172.30.89.103/metrics
{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {
    
  },
  "status": "Failure",
  "message": "forbidden: User \"system:anonymous\" cannot get path \"/metrics\"",
  "reason": "Forbidden",
  "details": {
    
  },
  "code": 403
}

Comment 6 errata-xmlrpc 2019-06-04 10:48:05 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:0758


Note You need to log in before you can comment on or make changes to this bug.