Bug 1879650 - anonymous browsers should get a 403 from /
Summary: anonymous browsers should get a 403 from /
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: apiserver-auth
Version: 4.5
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
: 4.5.z
Assignee: Andrea Hoffer
QA Contact: scheng
URL:
Whiteboard:
: 1878095 (view as bug list)
Depends On: 1821771
Blocks: 1822681 1880123
TreeView+ depends on / blocked
 
Reported: 2020-09-16 17:46 UTC by OpenShift BugZilla Robot
Modified: 2020-09-30 14:08 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: Release Note
Doc Text:
In OpenShift release 4.1, an anonymous user could access discovery endpoints. Later releases revoked this access by removing unauthenticated subjects from cluster role bindings. Because of the way default policy resources are reconciled, unauthenticated access is preserved in upgrade clusters. The ability to revoke this access after upgrading a cluster can be added to OpenShift. But, as doing that automatically would break existing use-cases, cluster administrators are given the ability to chose the best path forward based on their use case. There could be up to five cluster role bindings in an OpenShift 4.6 cluster that give unauthenticated user access to discovery endpoints. 1. cluster-status-binding 2. discovery 3. system:basic-user 4. system:discovery 5. system:openshift:discovery Cluster administrators can revoke unauthenticated access by using the below shell script. Please note that after running this snippet, an application that relied on unauthenticated behavior might start to receive HTTP 403 from the API Server. ## Snippet to remove unauthenticated group from all the cluster role bindings. $ for clusterrolebinding in cluster-status-binding discovery system:basic-user system:discovery system:openshift:discovery ; do ### Find the index of unauthenticated group in list of subjects index=$(oc get clusterrolebinding ${clusterrolebinding} -o json | jq 'select(.subjects!=null) | .subjects | map(.name=="system:unauthenticated") | index(true)'); ### Remove the element at index from subjects array oc patch clusterrolebinding ${clusterrolebinding} --type=json --patch "[{'op': 'remove','path': '/subjects/$index'}]"; done
Clone Of:
Environment:
Last Closed: 2020-09-30 14:07:51 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift origin pull 25510 0 None closed [release-4.5] Bug 1879650: For clusters upgraded from 4.1, skip the anonymous browser access test 2020-09-25 20:31:57 UTC
Red Hat Product Errata RHBA-2020:3760 0 None None None 2020-09-30 14:08:15 UTC

Comment 1 Venkata Siva Teja Areti 2020-09-16 17:49:51 UTC
*** Bug 1878095 has been marked as a duplicate of this bug. ***

Comment 8 errata-xmlrpc 2020-09-30 14:07:51 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.5.13 bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:3760


Note You need to log in before you can comment on or make changes to this bug.