1913366 – Access to the ES root url / from a project's pod on Openshift

Bug 1913366 - Access to the ES root url / from a project's pod on Openshift

Summary: Access to the ES root url / from a project's pod on Openshift

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Logging
Sub Component:
Version:	4.5
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	---
Target Release:	4.5.z
Assignee:	Jeff Cantrill
QA Contact:	Anping Li
Docs Contact:
URL:
Whiteboard:	logging-exploration
Depends On:	1913483
Blocks:
TreeView+	depends on / blocked

Reported:	2021-01-06 15:17 UTC by OpenShift BugZilla Robot
Modified:	2024-03-25 17:45 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	Cause: Non-administrative users do not have the MONITOR permission set to allow them to query to root endpoint to retrieve the ES version. Consequence: Users received a 403 response which would break any services that utilized this endpoint in prior releases Fix: Update the permission set to allow query of the root endpoint Result: Users are now able to determine the deployed version of ES
Clone Of:
Environment:
Last Closed:	2021-02-09 13:25:23 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	openshift origin-aggregated-logging pull 2038	0	None	closed	Bug 1913366: Allow project users to view root endpoint	2021-02-07 15:46:37 UTC
Red Hat Product Errata	RHBA-2021:0315	0	None	None	None	2021-02-09 13:25:30 UTC

Comment 5 Anping Li 2021-02-03 14:21:16 UTC

Verified on elasticsearch-operator.4.5.0-202102030632.p0

$ oc get projects
NAME       DISPLAY NAME   STATUS
logflatx                  Active
$ oc whoami -t
YmVJDf3W59fwcdk-6_MP459DJtIzFQxxJeA4GXh30wU
$ oc get pods -n logflatx
NAME                   READY   STATUS    RESTARTS   AGE
centos-logtest-t94lq   1/1     Running   0          3h3m
$ oc exec centos-logtest-t94lq -- curl -tlsv1.2 --insecure -H "Authorization: Bearer YmVJDf3W59fwcdk-6_MP459DJtIzFQxxJeA4GXh30wU"  https://elasticsearch.openshift-logging.svc:9200
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0{
  "name" : "elasticsearch-cdm-gnd2joi8-2",
  "cluster_name" : "elasticsearch",
  "cluster_uuid" : "tXVZ4jFcQVaou7LR6Gwj0w",
  "version" : {
    "number" : "6.8.1",
    "build_flavor" : "oss",
    "build_type" : "zip",
    "build_hash" : "Unknown",
    "build_date" : "Unknown",
    "build_snapshot" : true,
    "lucene_version" : "7.7.0",
    "minimum_wire_compatibility_version" : "5.6.0",
    "minimum_index_compatibility_version" : "5.0.0"
  },
  "tagline" : "You Know, for Search"
}

Comment 7 errata-xmlrpc 2021-02-09 13:25:23 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.5.31 extras update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:0315

Note You need to log in before you can comment on or make changes to this bug.