Bug 1703506 - OAuth Server metrics endpoints should require auth
Summary: OAuth Server metrics endpoints should require auth
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: apiserver-auth
Version: 4.1.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 4.1.0
Assignee: Mo
QA Contact: scheng
Depends On:
Blocks: 1704822
TreeView+ depends on / blocked
Reported: 2019-04-26 15:32 UTC by Neelesh Agrawal
Modified: 2019-06-04 10:48 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1704822 (view as bug list)
Last Closed: 2019-06-04 10:48:05 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:0758 0 None None None 2019-06-04 10:48:13 UTC

Description Neelesh Agrawal 2019-04-26 15:32:55 UTC
We should not emit metrics that are globally readable. 
Most critical metrics to protect are oauth related.
Goal will be to either protect those metrics or disable them.

Comment 4 Mo 2019-05-01 13:17:34 UTC
My PR correctly fixes the lack of auth on metrics and all other OAuth server endpoints that need it.  It does not disable metrics.

Comment 8 errata-xmlrpc 2019-06-04 10:48:05 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.