Bug 1711533 - Unprivileged access to discovery
Summary: Unprivileged access to discovery
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: apiserver-auth
Version: 4.2.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 4.2.0
Assignee: Stefan Schimanski
QA Contact: Wei Sun
Depends On: 1729522
TreeView+ depends on / blocked
Reported: 2019-05-18 12:47 UTC by Maciej Szulik
Modified: 2019-10-16 06:29 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2019-10-16 06:29:06 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Github openshift installer pull 1835 0 'None' closed Bug 1711533: Remove unnecessary binding to system:discovery 2020-09-23 14:41:01 UTC
Github openshift jenkins-sync-plugin pull 320 0 'None' closed Bug 1711533: Bump kubernetes-client version (openshift-client) to 4.3 to support O… 2020-09-23 14:41:01 UTC
Github openshift openshift-apiserver pull 18 0 'None' closed Bug 1711533: auth: remove unauthenticated discovery and status access 2020-09-23 14:41:00 UTC
Github openshift origin pull 22953 0 'None' closed Bug 1711533: UPSTREAM: revert: 00000: restore unprivileged access 2020-09-23 14:41:00 UTC
Github openshift origin pull 23046 0 'None' closed Bug 1711533: rbac: add e2e to track rules applied to automatic groups 2020-09-23 14:41:00 UTC
Github openshift origin pull 23049 0 'None' closed [wip] Bug 1711533: Remove discovery access from system:unauthenticated 2020-09-23 14:41:00 UTC
Github openshift origin pull 23641 0 'None' closed Bug 1711533: bootstrap-rbac-policy: prepare for non-anon discovery 2020-09-23 14:41:00 UTC
Github openshift origin pull 23653 0 'None' closed Bug 1711533: extended: fix anon / access test and add one when authenticated 2020-09-23 14:41:05 UTC
Red Hat Product Errata RHBA-2019:2922 0 None None None 2019-10-16 06:29:17 UTC

Internal Links: 1821771

Description Maciej Szulik 2019-05-18 12:47:47 UTC
In https://github.com/openshift/origin/pull/22833/commits/50872400c21124bf825b4663ac720106f5aba351 we restored unprivileged access to system:discovery role, which was there in 4.1. We need to revert that change to be compatible with upstream, which fixed this in response to a CVE.

Comment 2 Mo 2019-06-01 11:58:55 UTC
Moving back to assigned as I need to add an e2e test to confirm this never regresses in the future.

Comment 6 Adam Kaplan 2019-07-12 13:32:55 UTC
Added #1729552 as a blocker for this issue.

Comment 21 errata-xmlrpc 2019-10-16 06:29:06 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.