Description of problem: A user with permissions to access the metrics in a given namespace can use the same endpoint to retrieve rules from the same namespace though no rule permissions have been granted for this user. Version-Release number of selected component (if applicable): 4.6 How reproducible: Always Steps to Reproduce: 1. Login as a user with view permissions for a given namespace 2. Retrieve a token "oc whoami -t" 3. Start a shell inside the cluster oc run tmp-shell --rm -i --tty --image centos -- /bin/bash 4. Query the tenancy-aware endpoint for rules from within the pod curl -k -H "Authorization: Bearer <TOKEN>" https://thanos-querier.openshift-monitoring.svc:9093/api/v1/rules?namespace=openshift-monitoring Actual results: The curl command succeeds. Expected results: The request should be rejected. Additional info:
tested with 4.6.0-0.nightly-2020-08-18-165040, issue is fixed. verification steps 1. grant view permissions for openshift-monitoring namespace # oc adm policy add-role-to-user view testuser-12 -n openshift-monitoring 2. get the testuser-12 user token from https://${oauth-route}/oauth/token/display 3. query rules endpoint # oc -n openshift-monitoring exec -c prometheus prometheus-k8s-1 -- curl -k -H "Authorization: Bearer sha256~M-8xmAIqcFsunNNx4d2hf-WX0Oi-C9E-bdibY3ApyNw" https://thanos-querier.openshift-monitoring.svc:9093/api/v1/rules?namespace=openshift-monitoring Forbidden (user=testuser-12, verb=get, resource=prometheusrules, subresource=)
add more tests 1. enable user workload, create prometheus rules under user namespace, and grant view permissions # oc adm policy add-role-to-user view testuser-12 -n ns1 2. query with the user token # oc -n openshift-monitoring exec -c prometheus prometheus-k8s-0 -- curl -k -H "Authorization: Bearer sha256~bSo3NOkPb_r7h5dIUAuhcKIDkvTCdn8IMolATBJl2MU" https://thanos-querier.openshift-monitoring.svc:9093/api/v1/rules?namespace=ns1 Forbidden (user=testuser-12, verb=get, resource=prometheusrules, subresource=) 3. grant monitoring-rules-view role to the same project and query again # oc adm policy add-role-to-user monitoring-rules-view testuser-12 -n ns1 # oc -n openshift-monitoring exec -c prometheus prometheus-k8s-0 -- curl -k -H "Authorization: Bearer sha256~bSo3NOkPb_r7h5dIUAuhcKIDkvTCdn8IMolATBJl2MU" https://thanos-querier.openshift-monitoring.svc:9093/api/v1/rules?namespace=ns1 | jq { "status": "success", "data": { "groups": [ { "name": "TestAlert", "query": "vector(1)", "duration": 0, "labels": { "namespace": "ns1", "severity": "none" }, "annotations": { "message": "This is an alert meant to ensure that the entire alerting pipeline is functional." }, "alerts": [ { "labels": { "alertname": "TestAlert", "namespace": "ns1", "severity": "none" }, "annotations": { "message": "This is an alert meant to ensure that the entire alerting pipeline is functional." }, "state": "firing", "activeAt": "2020-08-19T08:07:15.389025513Z", "value": "1e+00" } ], "health": "ok", "type": "alerting" } ], "interval": 15 } ] } }
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:4196