1711533 – Unprivileged access to discovery

Bug 1711533 - Unprivileged access to discovery

Summary: Unprivileged access to discovery

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	apiserver-auth
Sub Component:
Version:	4.2.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	urgent
Severity:	urgent
Target Milestone:	---
Target Release:	4.2.0
Assignee:	Stefan Schimanski
QA Contact:	Wei Sun
Docs Contact:
URL:
Whiteboard:
Depends On:	1729522
Blocks:
TreeView+	depends on / blocked

Reported:	2019-05-18 12:47 UTC by Maciej Szulik
Modified:	2019-10-16 06:29 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-10-16 06:29:06 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Github	openshift installer pull 1835	'None'	closed	Bug 1711533: Remove unnecessary binding to system:discovery	2020-09-23 14:41:01 UTC
Github	openshift jenkins-sync-plugin pull 320	'None'	closed	Bug 1711533: Bump kubernetes-client version (openshift-client) to 4.3 to support O…	2020-09-23 14:41:01 UTC
Github	openshift openshift-apiserver pull 18	'None'	closed	Bug 1711533: auth: remove unauthenticated discovery and status access	2020-09-23 14:41:00 UTC
Github	openshift origin pull 22953	'None'	closed	Bug 1711533: UPSTREAM: revert: 00000: restore unprivileged access	2020-09-23 14:41:00 UTC
Github	openshift origin pull 23046	'None'	closed	Bug 1711533: rbac: add e2e to track rules applied to automatic groups	2020-09-23 14:41:00 UTC
Github	openshift origin pull 23049	'None'	closed	[wip] Bug 1711533: Remove discovery access from system:unauthenticated	2020-09-23 14:41:00 UTC
Github	openshift origin pull 23641	'None'	closed	Bug 1711533: bootstrap-rbac-policy: prepare for non-anon discovery	2020-09-23 14:41:00 UTC
Github	openshift origin pull 23653	'None'	closed	Bug 1711533: extended: fix anon / access test and add one when authenticated	2020-09-23 14:41:05 UTC
Red Hat Product Errata	RHBA-2019:2922	None	None	None	2019-10-16 06:29:17 UTC

Internal Links: 1821771

Description Maciej Szulik 2019-05-18 12:47:47 UTC

In https://github.com/openshift/origin/pull/22833/commits/50872400c21124bf825b4663ac720106f5aba351 we restored unprivileged access to system:discovery role, which was there in 4.1. We need to revert that change to be compatible with upstream, which fixed this in response to a CVE.

Comment 1 Mo 2019-05-31 20:56:33 UTC

https://github.com/openshift/origin/pull/22953

Comment 2 Mo 2019-06-01 11:58:55 UTC

Moving back to assigned as I need to add an e2e test to confirm this never regresses in the future.

Comment 3 Mo 2019-07-11 14:33:59 UTC

Incomplete PR:

https://github.com/openshift/origin/pull/23049

Complete PRs:

https://github.com/openshift/origin/pull/22953
https://github.com/openshift/origin/pull/23046

https://github.com/openshift/installer/pull/1835

There is still a non-trivial amount of work left to do.

Comment 6 Adam Kaplan 2019-07-12 13:32:55 UTC

Added #1729552 as a blocker for this issue.

Comment 21 errata-xmlrpc 2019-10-16 06:29:06 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2922

Note You need to log in before you can comment on or make changes to this bug.