Bug 1774060 - alertmanager-access role is not created
Summary: alertmanager-access role is not created
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Monitoring
Version: 4.3.0
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
: 4.3.0
Assignee: Sergiusz Urbaniak
QA Contact: Junqi Zhao
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-11-19 13:47 UTC by Sergiusz Urbaniak
Modified: 2020-01-23 11:13 UTC (History)
12 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-01-23 11:13:16 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift cluster-monitoring-operator pull 558 0 'None' closed Bug 1774060: create alertmanager-access role, add e2e tests for user workload monitoring 2020-04-01 12:40:48 UTC
Red Hat Product Errata RHBA-2020:0062 0 None None None 2020-01-23 11:13:37 UTC

Description Sergiusz Urbaniak 2019-11-19 13:47:20 UTC
We declared a new role "alertmanager-access" in https://github.com/openshift/cluster-monitoring-operator/pull/502 but do not create it in the operator.

Comment 8 Standa Laznicka 2019-11-22 09:19:07 UTC
I see 'oc adm policy add-role-to-user --role-namespace='openshift-monitoring' alertmanager-access juzhao1'

But the check is performed for user with username juzhao1@cluster.local:

```
2019/11/22 06:20:59 provider.go:464: Permission denied for juzhao1@cluster.local for check {"group":"monitoring.coreos.com","namespace":"openshift-monitoring","resource":"alertmanagers","scopes":[],"verb":"get"}
```

Comment 9 Junqi Zhao 2019-11-22 11:16:20 UTC
(In reply to Standa Laznicka from comment #8)
> I see 'oc adm policy add-role-to-user
> --role-namespace='openshift-monitoring' alertmanager-access juzhao1'
> 
> But the check is performed for user with username juzhao1@cluster.local:
> 
> ```
> 2019/11/22 06:20:59 provider.go:464: Permission denied for
> juzhao1@cluster.local for check
> {"group":"monitoring.coreos.com","namespace":"openshift-monitoring",
> "resource":"alertmanagers","scopes":[],"verb":"get"}
> ```

yes, maybe it is the cause.

checked with cluster-admin user
2019/11/22 11:05:24 provider.go:613: 200 GET https://172.30.0.1/apis/user.openshift.io/v1/users/~ {"kind":"User","apiVersion":"user.openshift.io/v1","metadata":{"name":"kube:admin","selfLink":"/apis/user.openshift.io/v1/users/kube%3Aadmin","creationTimestamp":null},"identities":null,"groups":["system:authenticated","system:cluster-admins"]}
2019/11/22 11:05:24 provider.go:613: 201 POST https://172.30.0.1/apis/authorization.openshift.io/v1/subjectaccessreviews {"kind":"SubjectAccessReviewResponse","apiVersion":"authorization.openshift.io/v1","namespace":"openshift-monitoring","allowed":true,"reason":"RBAC: allowed by ClusterRoleBinding \"cluster-admins\" of ClusterRole \"cluster-admin\" to Group \"system:cluster-admins\""}
2019/11/22 11:05:24 oauthproxy.go:675: 10.131.0.9:42724 authentication complete Session{kube:admin@cluster.local token:true}

Comment 13 Venkata Siva Teja Areti 2019-12-03 23:28:44 UTC
this is working

'-openshift-sar={"resourceAPIGroup": "monitoring.coreos.com", "resource":
          "alertmanagers", "namespace": "openshift-monitoring", "verb": "get"}'

Comment 14 Standa Laznicka 2019-12-05 11:30:48 UTC
moving back to monitoring, bug's on your side.

Comment 19 errata-xmlrpc 2020-01-23 11:13:16 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:0062


Note You need to log in before you can comment on or make changes to this bug.