Description of problem: user with cluster-monitoring-view role binding is able to create alerts. Since the user can access alertmanager console, it manages also to create alerts. Version-Release number of selected component (if applicable): 4.7 How reproducible: always. Steps to Reproduce: 1. create user 2. oc adm policy add-cluster-role-to-user cluster-monitoring-view <user> 3. create alert in the console using <user> Actual results: it manages to create the silent: oc -n openshift-monitoring exec -ti alertmanager-main-0 -c alertmanager -- amtool silence query --alertmanager.url http://localhost:9093 ID Matchers Ends At Created By Comment 4bea0b49-08da-4c20-a364-2fd14675af94 Alertname=Prometheusrulefailures 2021-04-07 15:32:17 UTC test test
tested with 4.9.0-0.nightly-2021-07-18-155939, login alertmanager UI with cluster-monitoring-view user get 403 Permission Denied now, which is inconsistent with former behaviour, no such issue with other monitoring UIs $ oc adm policy add-cluster-role-to-user cluster-monitoring-view juzhao1 $ oc -n openshift-monitoring logs -c alertmanager-proxy alertmanager-main-0 ... 2021/07/19 07:31:57 provider.go:627: 200 GET https://172.30.0.1/apis/user.openshift.io/v1/users/~ {"kind":"User","apiVersion":"user.openshift.io/v1","metadata":{"name":"juzhao1","uid":"5948ce6a-3131-4fab-9ae8-404a8ba031c3","resourceVersion":"220581","creationTimestamp":"2021-07-19T07:24:43Z","managedFields":[{"manager":"oauth-server","operation":"Update","apiVersion":"user.openshift.io/v1","time":"2021-07-19T07:24:43Z","fieldsType":"FieldsV1","fieldsV1":{"f:identities":{}}}]},"identities":["Script-Htpassidp:juzhao1"],"groups":["system:authenticated","system:authenticated:oauth"]} 2021/07/19 07:31:57 provider.go:627: 201 POST https://172.30.0.1/apis/authorization.openshift.io/v1/subjectaccessreviews {"kind":"SubjectAccessReviewResponse","apiVersion":"authorization.openshift.io/v1","allowed":true,"reason":"RBAC: allowed by ClusterRoleBinding \"cluster-monitoring-view\" of ClusterRole \"cluster-monitoring-view\" to User \"juzhao1\""} 2021/07/19 07:31:57 provider.go:627: 201 POST https://172.30.0.1/apis/authorization.openshift.io/v1/subjectaccessreviews {"kind":"SubjectAccessReviewResponse","apiVersion":"authorization.openshift.io/v1","namespace":"openshift-monitoring","allowed":false} 2021/07/19 07:31:57 provider.go:478: Permission denied for juzhao1 for check {"namespace":"openshift-monitoring","resource":"alertmanagers","resourceAPIGroup":"monitoring.coreos.com","resourceName":"non-existant","scopes":[],"verb":"patch"} 2021/07/19 07:31:57 oauthproxy.go:650: 10.128.2.11:56858 Permission Denied: user is unauthorized when redeeming token 2021/07/19 07:31:57 oauthproxy.go:445: ErrorPage 403 Permission Denied Invalid Account
Ideally only the cluster admin needs access to the alert manager UI. Anybody else with just cluster-monitoring-view permissions need not have access as the only reason to go there is to create and suppress alerts. These actions are write operations and should not be available with just view permissions.
cluster-monitoring-view user can not see the silences in console UI and can't login the alertmanager UI(403 error) now. but monitoring-alertmanager-edit is only a role, not a clusterrole "oc adm policy add-role-to-user" is add the role to users or service accounts for one project. # oc adm policy add-role-to-user --help Add a role to users or service accounts for the current project. the monitoring-alertmanager-edit user can not login with neither the alertmanager UI(403 error) nor console UI.
(In reply to Junqi Zhao from comment #20) > the monitoring-alertmanager-edit user can not login with neither the > alertmanager UI(403 error) nor console UI. login console with monitoring-alertmanager-edit user, there is not "Observe" navigation bar in the left and can't view any resources under user namespaces
checked with 4.9.0-0.nightly-2021-07-21-081948, and grant admin/cluster-monitoring-view/monitoring-alertmanager-edit roles to user # oc adm policy add-cluster-role-to-user cluster-monitoring-view testuser-11 # oc adm policy add-cluster-role-to-user admin testuser-11 # oc adm policy add-role-to-user monitoring-alertmanager-edit testuser-11 -n openshift-monitoring user can login alertmanager UI and console UI, user can silent alerts and check alerts on console UI note: for # oc adm policy add-role-to-user monitoring-alertmanager-edit testuser-11 -n openshift-monitoring there is one bug now, see bug 1984904, you can update manually to the correct value then test
Thanks for the update Junqi! The following command would also create the correct role binding: oc adm policy add-role-to-user monitoring-alertmanager-edit user1 -n openshift-monitoring --role-namespace openshift-monitoring Prashant, could you update the doc text to describe the exact commands to be executed for granting Alertmanager access to a user?
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.9.0 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:3759