Bug 1854479 - User with view permissions on a project but without 'monitoring-rules-view' role can still view rules
Summary: User with view permissions on a project but without 'monitoring-rules-view' r...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Monitoring
Version: 4.6
Hardware: Unspecified
OS: Unspecified
unspecified
low
Target Milestone: ---
: 4.6.0
Assignee: Simon Pasquier
QA Contact: Junqi Zhao
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-07-07 14:24 UTC by Simon Pasquier
Modified: 2020-10-27 16:13 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-10-27 16:12:46 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift cluster-monitoring-operator pull 908 0 None closed Bug 1854479: enforce permissions on Thanos querier endpoints 2020-12-15 09:35:51 UTC
Github openshift kube-rbac-proxy pull 26 0 None closed Bug 1854479: bump version to enable the "--allow-paths" flag 2020-12-15 09:35:51 UTC
Red Hat Product Errata RHBA-2020:4196 0 None None None 2020-10-27 16:13:06 UTC

Description Simon Pasquier 2020-07-07 14:24:51 UTC
Description of problem:
A user with permissions to access the metrics in a given namespace can use the same endpoint to retrieve rules from the same namespace though no rule permissions have been granted for this user.

Version-Release number of selected component (if applicable):
4.6

How reproducible:
Always

Steps to Reproduce:
1. Login as a user with view permissions for a given namespace
2. Retrieve a token "oc whoami -t"
3. Start a shell inside the cluster
oc run tmp-shell --rm -i --tty --image centos -- /bin/bash
4. Query the tenancy-aware endpoint for rules from within the pod
curl -k -H "Authorization: Bearer <TOKEN>" https://thanos-querier.openshift-monitoring.svc:9093/api/v1/rules?namespace=openshift-monitoring

Actual results:
The curl command succeeds.

Expected results:
The request should be rejected.

Additional info:

Comment 5 Junqi Zhao 2020-08-19 07:48:48 UTC
tested with 4.6.0-0.nightly-2020-08-18-165040, issue is fixed.
verification steps
1. grant view permissions for openshift-monitoring namespace
# oc adm policy add-role-to-user view  testuser-12 -n openshift-monitoring

2. get the testuser-12 user token from https://${oauth-route}/oauth/token/display
3. query rules endpoint
# oc -n openshift-monitoring exec -c prometheus prometheus-k8s-1 -- curl -k -H "Authorization: Bearer sha256~M-8xmAIqcFsunNNx4d2hf-WX0Oi-C9E-bdibY3ApyNw"  https://thanos-querier.openshift-monitoring.svc:9093/api/v1/rules?namespace=openshift-monitoring
Forbidden (user=testuser-12, verb=get, resource=prometheusrules, subresource=)

Comment 6 Junqi Zhao 2020-08-19 08:40:20 UTC
add more tests
1. enable user workload, create prometheus rules under user namespace, and grant view permissions
# oc adm policy add-role-to-user  view testuser-12 -n ns1

2. query with the user token
# oc -n openshift-monitoring exec -c prometheus prometheus-k8s-0 -- curl -k -H "Authorization: Bearer sha256~bSo3NOkPb_r7h5dIUAuhcKIDkvTCdn8IMolATBJl2MU"  https://thanos-querier.openshift-monitoring.svc:9093/api/v1/rules?namespace=ns1
Forbidden (user=testuser-12, verb=get, resource=prometheusrules, subresource=)


3. grant monitoring-rules-view role to the same project and query again
# oc adm policy add-role-to-user monitoring-rules-view  testuser-12 -n ns1
# oc -n openshift-monitoring exec -c prometheus prometheus-k8s-0 -- curl -k -H "Authorization: Bearer sha256~bSo3NOkPb_r7h5dIUAuhcKIDkvTCdn8IMolATBJl2MU"  https://thanos-querier.openshift-monitoring.svc:9093/api/v1/rules?namespace=ns1 | jq
{
  "status": "success",
  "data": {
    "groups": [
          {
            "name": "TestAlert",
            "query": "vector(1)",
            "duration": 0,
            "labels": {
              "namespace": "ns1",
              "severity": "none"
            },
            "annotations": {
              "message": "This is an alert meant to ensure that the entire alerting pipeline is functional."
            },
            "alerts": [
              {
                "labels": {
                  "alertname": "TestAlert",
                  "namespace": "ns1",
                  "severity": "none"
                },
                "annotations": {
                  "message": "This is an alert meant to ensure that the entire alerting pipeline is functional."
                },
                "state": "firing",
                "activeAt": "2020-08-19T08:07:15.389025513Z",
                "value": "1e+00"
              }
            ],
            "health": "ok",
            "type": "alerting"
          }
        ],
        "interval": 15
      }
    ]
  }
}

Comment 8 errata-xmlrpc 2020-10-27 16:12:46 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4196


Note You need to log in before you can comment on or make changes to this bug.