Bug 1947005 - cluster-monitoring-view role allows to create alert silences
Summary: cluster-monitoring-view role allows to create alert silences
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Monitoring
Version: 4.7
Hardware: Unspecified
OS: Unspecified
unspecified
low
Target Milestone: ---
: 4.9.0
Assignee: Prashant Balachandran
QA Contact: Junqi Zhao
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-04-07 13:39 UTC by German Parente
Modified: 2021-10-18 17:30 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: cluster-monitoring-view role is a generic role within monitoring. Consequence: this allows alerts to be silenced and created. As the role named cluster-monitoring-view, it should not allow any write operation. Fix: adding a new role monitoring-alertmanager-edit. The following commands can be used to allow users to access the alert manager. oc adm policy add-cluster-role-to-user cluster-monitoring-view user1 oc adm policy add-role-to-user monitoring-alertmanager-edit user1 -n openshift-monitoring --role-namespace openshift-monitoring Result: This role will now be required to silence and create alerts in addition to cluster-monitoring-view role.
Clone Of:
Environment:
Last Closed: 2021-10-18 17:29:50 UTC
Target Upstream Version:
Embargoed:
pnair: needinfo-


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:3759 0 None None None 2021-10-18 17:30:13 UTC

Description German Parente 2021-04-07 13:39:54 UTC
Description of problem:

user with cluster-monitoring-view role binding is able to create alerts.

Since the user can access alertmanager console, it manages also to create alerts.



Version-Release number of selected component (if applicable): 4.7


How reproducible: always.



Steps to Reproduce:
1. create user
2. oc adm policy add-cluster-role-to-user cluster-monitoring-view <user>
3. create alert in the console using <user>

Actual results: it manages to create the silent:

oc -n openshift-monitoring exec -ti alertmanager-main-0 -c alertmanager -- amtool silence query --alertmanager.url http://localhost:9093
ID                                    Matchers                          Ends At                  Created By  Comment  
4bea0b49-08da-4c20-a364-2fd14675af94  Alertname=Prometheusrulefailures  2021-04-07 15:32:17 UTC  test        test

Comment 10 Junqi Zhao 2021-07-19 07:41:33 UTC
tested with 4.9.0-0.nightly-2021-07-18-155939, login alertmanager UI with cluster-monitoring-view user get 403 Permission Denied now, which is inconsistent with former behaviour, no such issue with other monitoring UIs
$ oc adm policy add-cluster-role-to-user cluster-monitoring-view juzhao1

$ oc -n openshift-monitoring logs -c alertmanager-proxy alertmanager-main-0
...
2021/07/19 07:31:57 provider.go:627: 200 GET https://172.30.0.1/apis/user.openshift.io/v1/users/~ {"kind":"User","apiVersion":"user.openshift.io/v1","metadata":{"name":"juzhao1","uid":"5948ce6a-3131-4fab-9ae8-404a8ba031c3","resourceVersion":"220581","creationTimestamp":"2021-07-19T07:24:43Z","managedFields":[{"manager":"oauth-server","operation":"Update","apiVersion":"user.openshift.io/v1","time":"2021-07-19T07:24:43Z","fieldsType":"FieldsV1","fieldsV1":{"f:identities":{}}}]},"identities":["Script-Htpassidp:juzhao1"],"groups":["system:authenticated","system:authenticated:oauth"]}
2021/07/19 07:31:57 provider.go:627: 201 POST https://172.30.0.1/apis/authorization.openshift.io/v1/subjectaccessreviews {"kind":"SubjectAccessReviewResponse","apiVersion":"authorization.openshift.io/v1","allowed":true,"reason":"RBAC: allowed by ClusterRoleBinding \"cluster-monitoring-view\" of ClusterRole \"cluster-monitoring-view\" to User \"juzhao1\""}
2021/07/19 07:31:57 provider.go:627: 201 POST https://172.30.0.1/apis/authorization.openshift.io/v1/subjectaccessreviews {"kind":"SubjectAccessReviewResponse","apiVersion":"authorization.openshift.io/v1","namespace":"openshift-monitoring","allowed":false}
2021/07/19 07:31:57 provider.go:478: Permission denied for juzhao1 for check {"namespace":"openshift-monitoring","resource":"alertmanagers","resourceAPIGroup":"monitoring.coreos.com","resourceName":"non-existant","scopes":[],"verb":"patch"}
2021/07/19 07:31:57 oauthproxy.go:650: 10.128.2.11:56858 Permission Denied: user is unauthorized when redeeming token
2021/07/19 07:31:57 oauthproxy.go:445: ErrorPage 403 Permission Denied Invalid Account

Comment 18 Prashant Balachandran 2021-07-21 05:59:10 UTC
Ideally only the cluster admin needs access to the alert manager UI. Anybody else with just cluster-monitoring-view permissions need not have access as the only reason to go there is to create and suppress alerts. These actions are write operations and should not be available with just view permissions.

Comment 20 Junqi Zhao 2021-07-21 07:58:16 UTC
cluster-monitoring-view user can not see the silences in console UI and can't login the alertmanager UI(403 error) now.
but monitoring-alertmanager-edit is only a role, not a clusterrole
"oc adm policy add-role-to-user" is add the role to users or service accounts for one project.

# oc adm policy add-role-to-user --help
Add a role to users or service accounts for the current project.

the monitoring-alertmanager-edit user can not login with neither the alertmanager UI(403 error) nor console UI.

Comment 21 Junqi Zhao 2021-07-21 08:08:25 UTC
(In reply to Junqi Zhao from comment #20)
> the monitoring-alertmanager-edit user can not login with neither the
> alertmanager UI(403 error) nor console UI.

login console with monitoring-alertmanager-edit user, there is not "Observe" navigation bar in the left and can't view any resources under user namespaces

Comment 24 Junqi Zhao 2021-07-22 12:59:13 UTC
checked with 4.9.0-0.nightly-2021-07-21-081948, and grant admin/cluster-monitoring-view/monitoring-alertmanager-edit roles to user
# oc adm policy add-cluster-role-to-user cluster-monitoring-view testuser-11
# oc adm policy add-cluster-role-to-user admin testuser-11
# oc adm policy add-role-to-user monitoring-alertmanager-edit testuser-11 -n openshift-monitoring

user can login alertmanager UI and console UI, user can silent alerts and check alerts on console UI

note: for
# oc adm policy add-role-to-user monitoring-alertmanager-edit testuser-11 -n openshift-monitoring
there is one bug now, see bug 1984904, you can update manually to the correct value then test

Comment 25 Simon Pasquier 2021-07-23 07:54:53 UTC
Thanks for the update Junqi! The following command would also create the correct role binding:
oc adm policy add-role-to-user monitoring-alertmanager-edit user1 -n openshift-monitoring --role-namespace openshift-monitoring

Prashant, could you update the doc text to describe the exact commands to be executed for granting Alertmanager access to a user?

Comment 34 errata-xmlrpc 2021-10-18 17:29:50 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.9.0 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:3759


Note You need to log in before you can comment on or make changes to this bug.