We declared a new role "alertmanager-access" in https://github.com/openshift/cluster-monitoring-operator/pull/502 but do not create it in the operator.
I see 'oc adm policy add-role-to-user --role-namespace='openshift-monitoring' alertmanager-access juzhao1' But the check is performed for user with username juzhao1: ``` 2019/11/22 06:20:59 provider.go:464: Permission denied for juzhao1 for check {"group":"monitoring.coreos.com","namespace":"openshift-monitoring","resource":"alertmanagers","scopes":[],"verb":"get"} ```
(In reply to Standa Laznicka from comment #8) > I see 'oc adm policy add-role-to-user > --role-namespace='openshift-monitoring' alertmanager-access juzhao1' > > But the check is performed for user with username juzhao1: > > ``` > 2019/11/22 06:20:59 provider.go:464: Permission denied for > juzhao1 for check > {"group":"monitoring.coreos.com","namespace":"openshift-monitoring", > "resource":"alertmanagers","scopes":[],"verb":"get"} > ``` yes, maybe it is the cause. checked with cluster-admin user 2019/11/22 11:05:24 provider.go:613: 200 GET https://172.30.0.1/apis/user.openshift.io/v1/users/~ {"kind":"User","apiVersion":"user.openshift.io/v1","metadata":{"name":"kube:admin","selfLink":"/apis/user.openshift.io/v1/users/kube%3Aadmin","creationTimestamp":null},"identities":null,"groups":["system:authenticated","system:cluster-admins"]} 2019/11/22 11:05:24 provider.go:613: 201 POST https://172.30.0.1/apis/authorization.openshift.io/v1/subjectaccessreviews {"kind":"SubjectAccessReviewResponse","apiVersion":"authorization.openshift.io/v1","namespace":"openshift-monitoring","allowed":true,"reason":"RBAC: allowed by ClusterRoleBinding \"cluster-admins\" of ClusterRole \"cluster-admin\" to Group \"system:cluster-admins\""} 2019/11/22 11:05:24 oauthproxy.go:675: 10.131.0.9:42724 authentication complete Session{kube:admin token:true}
this is working '-openshift-sar={"resourceAPIGroup": "monitoring.coreos.com", "resource": "alertmanagers", "namespace": "openshift-monitoring", "verb": "get"}'
moving back to monitoring, bug's on your side.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:0062