Description of problem: I am unable to create silences as a user with `monitoring-edit` privileges for a user-defined project. Please let me know if I am missing a role prerequisite or a setup step. Version-Release number of selected component (if applicable): OCP 4.6.0-0.nightly How reproducible: Every time. Steps to Reproduce: 1. Set up user workload monitoring on a newly installed OCP cluster by using the script in https://github.com/openshift/cluster-monitoring-operator/blob/master/hack/uwm_setup.sh. 2. Create a new user and assign them the following two roles: a. Assign the `monitoring-edit` cluster role for the `ns1` project: ---- $ oc policy add-role-to-user monitoring-edit user4 -n ns1 Warning: User 'user4' not found clusterrole.rbac.authorization.k8s.io/monitoring-edit added: "user4" ---- b. Assign the `admin` cluster role for the `ns1` project: ---- $ oc policy add-role-to-user admin user4 -n ns1 Warning: User 'user4' not found clusterrole.rbac.authorization.k8s.io/admin added: "user4" ---- 3. Log in to the OCP web console as the new `user4` user. 4. In the Developer perspective, navigate to Monitoring -> Alerts -> <alert_name> -> Project: ns1. In the scripted example the alert is called `VersionAlert`. The graph under 'Alert Details' on this page states 'An error occurred Forbidden', indicating that the user does not have the appropriate permissions to view that element. 5. Select 'Silence alert', add a comment and submit. The same 'An error occurred Forbidden' message appears, indicating that the user does not have the required permissions to create a silence in the `ns1` project. Actual results: A user with the `monitoring-edit` and `admin` cluster roles in the `ns1` project cannot: * View the 'Alert Details' graph in the ns1 project * Create silences in the `ns1` project Expected results: For the user to be able to do both of these things.
I've managed to reproduce the issue and IIUC the problem is that the dev console uses the "admin" Alertmanager endpoint (https://alertmanager-main.openshift-monitoring.svc:9094) while it should use the tenancy-aware Alertmanager endpoint (https://alertmanager-main.openshift-monitoring.svc:9092). The former endpoint is protected by oauth-proxy and requires permissions to get any namespace (e.g. cluster adminà while the latter is protected by kube-rbac-proxy, requires permissions to manage prometheusrules in the given namespace and expects a "namespace" query parameter. Transferring to the Dev Console team.
temporarily reassigning to me to help in the console backend proxy code.
Reassigning to Vikram to take it from here for the frontend fix.
Moving back to ASSIGNED because the frontend change for this fix is not yet implemented.
Verified on: Build: 4.6.0-0.nightly-2020-10-03-051134 Browser: Google Chrome Version 85.0.4183.102 Marking this as done
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:4196