Bug 1960767 - /metrics endpoint of the Grafana UI is accessible without authentication
Summary: /metrics endpoint of the Grafana UI is accessible without authentication
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Monitoring
Version: 3.11.0
Hardware: Unspecified
OS: Unspecified
low
low
Target Milestone: ---
: 4.8.0
Assignee: Arunprasad Rajkumar
QA Contact: Junqi Zhao
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-05-14 19:21 UTC by Nikhil Joshi
Modified: 2021-07-27 23:08 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-07-27 23:08:44 UTC
Target Upstream Version:


Attachments (Terms of Use)
/metrics enpoint accessible (291.83 KB, image/png)
2021-05-14 19:21 UTC, Nikhil Joshi
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Github openshift cluster-monitoring-operator pull 1165 0 None open Bug 1960767: Protect Grafana metrics endpoint 2021-05-21 09:13:19 UTC
Red Hat Product Errata RHSA-2021:2438 0 None None None 2021-07-27 23:08:57 UTC

Description Nikhil Joshi 2021-05-14 19:21:53 UTC
Created attachment 1783306 [details]
/metrics enpoint accessible

Description of problem:

IHAC who came up with security concerns regarding Red Hat OpenShift Container Platform v3.11.x Grafana webconsole.
2.  After they access the Grafana route and append it with /metrics , they find that the live memory stats and others stats are displayed without having to authenticate into Grafana. I also checked this in my cluster and the behavior is the same. Additionally, if the page is refreshed, the values of the stats also changes suggesting that these are LIVE numbers.
Also, this issue is present on v4.7
Version-Release number of selected component (if applicable):
3.11.x and also present on v4.7

Steps to Reproduce:
1. Append the Grafana UI URL with /metrics
2. Observe that the page opens without authnetication.
3. Also observe that on refreshing the page, the numbers are changes suggesting they are LIVE values

Actual results:
The /metrics endpoint is accessible to anyone without any authentication.

Expected results:
The /metrics endpoint should not be accessible without authentication.

Additional info:
Attached the result

Comment 6 Junqi Zhao 2021-05-25 08:55:56 UTC
tested with 4.8.0-0.nightly-2021-05-25-041803
grafana metrics endpoint is secured now, but alertmanager/prometheus/thanos-querier are not secured, see bug 1964334

Comment 9 errata-xmlrpc 2021-07-27 23:08:44 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:2438


Note You need to log in before you can comment on or make changes to this bug.