Bug 1881211 - Unable to create silences as a user with `monitoring-edit` privileges
Summary: Unable to create silences as a user with `monitoring-edit` privileges
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Dev Console
Version: 4.6
Hardware: All
OS: Linux
unspecified
high
Target Milestone: ---
: 4.6.0
Assignee: Vikram Raj
QA Contact: Gajanan More
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-09-21 19:59 UTC by Paul Needle
Modified: 2020-10-27 16:43 UTC (History)
12 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-10-27 16:43:35 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift console pull 6740 0 None closed Bug 1881211: pkg/server: add alertmanager-tenancy proxy 2020-11-26 07:23:55 UTC
Github openshift console pull 6748 0 None closed Bug 1881211: use alertmanager-tenancy api end point to create silence in devconsole 2020-11-26 07:23:55 UTC
Red Hat Product Errata RHBA-2020:4196 0 None None None 2020-10-27 16:43:51 UTC

Description Paul Needle 2020-09-21 19:59:37 UTC
Description of problem:

I am unable to create silences as a user with `monitoring-edit` privileges for a user-defined project.

Please let me know if I am missing a role prerequisite or a setup step.

Version-Release number of selected component (if applicable):

OCP 4.6.0-0.nightly

How reproducible:

Every time.

Steps to Reproduce:

1. Set up user workload monitoring on a newly installed OCP cluster by using the script in https://github.com/openshift/cluster-monitoring-operator/blob/master/hack/uwm_setup.sh.

2. Create a new user and assign them the following two roles:

a. Assign the `monitoring-edit` cluster role for the `ns1` project:

----
$ oc policy add-role-to-user monitoring-edit user4 -n ns1
Warning: User 'user4' not found
clusterrole.rbac.authorization.k8s.io/monitoring-edit added: "user4"
----

b. Assign the `admin` cluster role for the `ns1` project:

----
$ oc policy add-role-to-user admin user4 -n ns1
Warning: User 'user4' not found
clusterrole.rbac.authorization.k8s.io/admin added: "user4"
----

3. Log in to the OCP web console as the new `user4` user.

4. In the Developer perspective, navigate to Monitoring -> Alerts -> <alert_name> -> Project: ns1. In the scripted example the alert is called `VersionAlert`. The graph under 'Alert Details' on this page states 'An error occurred Forbidden', indicating that the user does not have the appropriate permissions to view that element.

5. Select 'Silence alert', add a comment and submit. The same 'An error occurred Forbidden' message appears, indicating that the user does not have the required permissions to create a silence in the `ns1` project.

Actual results:

A user with the `monitoring-edit` and `admin` cluster roles in the `ns1` project cannot:

* View the 'Alert Details' graph in the ns1 project
* Create silences in the `ns1` project

Expected results:

For the user to be able to do both of these things.

Comment 3 Simon Pasquier 2020-09-22 13:07:02 UTC
I've managed to reproduce the issue and IIUC the problem is that the dev console uses the "admin" Alertmanager endpoint (https://alertmanager-main.openshift-monitoring.svc:9094) while it should use the tenancy-aware Alertmanager endpoint (https://alertmanager-main.openshift-monitoring.svc:9092). The former endpoint is protected by oauth-proxy and requires permissions to get any namespace (e.g. cluster adminà while the latter is protected by kube-rbac-proxy, requires permissions to manage prometheusrules in the given namespace and expects a "namespace" query parameter.

Transferring to the Dev Console team.

Comment 4 Sergiusz Urbaniak 2020-09-24 10:43:17 UTC
temporarily reassigning to me to help in the console backend proxy code.

Comment 5 Sergiusz Urbaniak 2020-09-24 10:55:52 UTC
Reassigning to Vikram to take it from here for the frontend fix.

Comment 7 Andrew Pickering 2020-09-24 23:50:48 UTC
Moving back to ASSIGNED because the frontend change for this fix is not yet implemented.

Comment 10 Gajanan More 2020-10-07 09:02:05 UTC
Verified on:
Build: 4.6.0-0.nightly-2020-10-03-051134
Browser: Google Chrome Version 85.0.4183.102
Marking this as done

Comment 12 errata-xmlrpc 2020-10-27 16:43:35 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4196


Note You need to log in before you can comment on or make changes to this bug.