Bug 1848151 - Console continues to poll the ClusterVersion resource when the user doesn't have authority
Summary: Console continues to poll the ClusterVersion resource when the user doesn't h...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Management Console
Version: 4.6
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
: 4.8.0
Assignee: Samuel Padgett
QA Contact: Yanping Zhang
URL:
Whiteboard: Scrubbed
: 1952555 (view as bug list)
Depends On:
Blocks: 1952578
TreeView+ depends on / blocked
 
Reported: 2020-06-17 19:34 UTC by Samuel Padgett
Modified: 2021-07-27 22:32 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
The web console was incorrectly polling the ClusterVersion resource for users who didn't have authority. This would cause large numbers of "Failed to dial backend: websocket: bad handshake" errors in the console pod log, but otherwise did not cause any issues. We now check the user's permission before trying to poll this resource.
Clone Of:
: 1952578 (view as bug list)
Environment:
Version: 4.6.0-0.nightly-2020-06-16-214732 Cluster ID: 092d09d8-b2c0-4206-b824-9ed1a47fc4ca Browser: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:77.0) Gecko/20100101 Firefox/77.0
Last Closed: 2021-07-27 22:32:27 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
js-error (251.37 KB, image/png)
2021-04-14 07:15 UTC, Yanping Zhang 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Github openshift console pull 8602 0 None open Bug 1848151: Don't poll ClusterVersion when user doesn't have authority 2021-04-09 13:42:47 UTC
Red Hat Knowledge Base (Solution) 6099311 0 None None None 2021-06-04 09:48:48 UTC
Red Hat Product Errata RHSA-2021:2438 0 None None None 2021-07-27 22:32:43 UTC

Description Samuel Padgett 2020-06-17 19:34:39 UTC 
Console -- likely the notification drawer -- keeps polling for the ClusterVersion resource when logged in as a normal user who doesn't have authority. This adds a lot of errors to the JS log and causes many unnecessary requests.

We should only request that resource for users who have access. There is a `CLUSTER_VERSION` flag you can check.
Comment 2 Joe Caiani 2020-06-19 14:53:02 UTC 
Move to upcoming sprint. Will look at this on bugfix mondays.
Comment 5 Jakub Hadvig 2020-12-23 16:09:59 UTC 
We did not have time to fix this issue this sprint. Will reevaluate and try to fix in next sprint.
Comment 8 Yanping Zhang 2021-04-14 07:15:51 UTC 
Created attachment 1771755 [details]
js-error
Comment 9 Yanping Zhang 2021-04-14 07:19:15 UTC 
Checked on ocp 4.8 cluster with payload 4.8.0-0.nightly-2021-04-13-171608.
Login console with normal user, check logs in dev console, there are some 403 forbidden errors about promethues/alertmanager and many cookie warnings:
XHRGEThttps://console-openshift-console.apps.qe-groupd-0414.qe.devcluster.openshift.com/api/prometheus/api/v1/rules
[HTTP/1.1 403 Forbidden 4905ms]

Cookie “_oauth_proxy” has been rejected for invalid domain. rules
XHRGEThttps://console-openshift-console.apps.qe-groupd-0414.qe.devcluster.openshift.com/api/alertmanager/api/v2/silences
[HTTP/1.1 403 Forbidden 5354ms]

Cookie “_oauth_proxy” has been rejected for invalid domain.

===============================
Pls refer to screenshot.
Comment 10 Samuel Padgett 2021-04-22 14:44:32 UTC 
Hi, Yanping. This fix is only for polling ClusterVersion specifically. There will be some other 403 errors that are expected. Are these being polled constantly or only single requests?

Moving back to ON_QA. If there are additional issues, we should open separate bugs to track.
Comment 11 Samuel Padgett 2021-04-22 14:51:04 UTC 
*** Bug 1952555 has been marked as a duplicate of this bug. ***
Comment 12 Samuel Padgett 2021-04-22 15:16:17 UTC 
Raising the severity since this floods the log with messages making it harder to troubleshoot other problems.
Comment 13 Yanping Zhang 2021-04-23 02:25:57 UTC 
Checked on ocp 48 cluster with payload 4.8.0-0.nightly-2021-04-22-182303, after normal user login console, check logs in dev console, there is no request for "ClusterVersion" resource. Check in console pod log, there is no this kind of request, neither.
The issue in the bug description has been fixed.
Comment 19 errata-xmlrpc 2021-07-27 22:32:27 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:2438
Note You need to log in before you can comment on or make changes to this bug.