Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1973710

Summary: User impersonation in console does not work for metrics requests
Product: OpenShift Container Platform Reporter: Debarati Basu-Nag <dbasunag>
Component: Dev ConsoleAssignee: Yadan Pei <yapei>
Status: CLOSED ERRATA QA Contact: Mike Fiedler <mifiedle>
Severity: medium Docs Contact:
Priority: medium    
Version: 4.8CC: anpicker, cjerolim, cnv-qe-bugs, cvogt, danken, eparis, fdeutsch, jfajersk, kmajcher, liqcui, mifiedle, msaud, nmukherj, sbudhwar, spadgett, spasquie, sradco, stirabos, viraj
Target Milestone: ---Flags: cvogt: needinfo-
cvogt: needinfo-
viraj: needinfo-
Target Release: 4.11.z   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-09-28 05:57:37 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Unprivileged User metric query output
none
User permission none

Description Debarati Basu-Nag 2021-06-18 14:18:28 UTC 
Created attachment 1792065 [details]
Unprivileged User metric query output

Description of problem: For vms created as admin user against default namespace, unprivileged user is not supposed to be able to make metric queries/view results.


Version-Release number of selected component (if applicable):
Provider
OpenStack
OpenShift version
4.8.0-fc.5
Update channel

How reproducible:
Consistently reproducible.

Steps to Reproduce:
1. Create a vm as an admin user under default namespace
2. Run ping to localhost on the same vm to generate some network traffic
3. Ensure no "view" permission exists for an unprivileged user to default name space (Checked rolebindings - none exists)
4. Login as unprivileged user and check if there is any ability to query key metrics against default namespace. Unprivileged user should not be able to do so.

Actual results:
Results are returned with values showing up for metrics

Expected results:
Only user with view permission on a given project should be able to see metrics for that project.
Additional info:
Comment 1 Debarati Basu-Nag 2021-06-18 14:19:38 UTC 
Created attachment 1792066 [details]
User permission
Comment 2 Fabian Deutsch 2021-06-21 14:30:09 UTC 
In OpenShift - and Kubernetes - there is no such concept of a "creator", and not such a concept of inherited ownership.
(There is a concpet of object ownership i.e. with operators and controllers, but this is not meant here).

Thus with this being said permissions are resembled around namespaces. Thus any user having access to the default namespace has access ot the objects within. Thus from this perspective to me this is not a bug.

Can you confirm that a unprivileged user can NOT read the metrics of VMs from an admin namespace (i.e. my-admin-namespace) that can not be accessed by the unprivileged user?
Comment 3 Samuel Padgett 2021-06-24 12:43:21 UTC 
Changing to the monitoring component since it's not up to the console to do any RBAC checks. Console uses the user's token when it runs queries, and it's up to monitoring to do any access reviews.

Having said that, showing the empty role bindings tab for the user doesn't necessarily mean the user is unprivileged. I'm not sure the exact subject access review monitoring uses. Can you try the following command?

$ oc auth can-i get namespaces/default --all-namespaces
Comment 4 Jan Fajerski 2021-06-25 08:20:20 UTC 
(In reply to Fabian Deutsch from comment #2)
> In OpenShift - and Kubernetes - there is no such concept of a "creator", and
> not such a concept of inherited ownership.
> (There is a concpet of object ownership i.e. with operators and controllers,
> but this is not meant here).
> 
> Thus with this being said permissions are resembled around namespaces. Thus
> any user having access to the default namespace has access ot the objects
> within. Thus from this perspective to me this is not a bug.
> 
> Can you confirm that a unprivileged user can NOT read the metrics of VMs
> from an admin namespace (i.e. my-admin-namespace) that can not be accessed
> by the unprivileged user?

I agree with Fabian here.

The monitoring components do check RBAC for metric queries. Waiting for the needinfo, but I suspect this is NOTABUG.
Comment 5 Simon Pasquier 2021-06-28 15:17:30 UTC 
The kube-rbac-proxy service in front of the Thanos querier verifies that the user has permissions to get pods metrics in the given namespace [1]. If so the user can query any metric in the namespace. As already said above, no rolebinfings doesn't mean that the user is unprivileged (otherwise access to the console wouldn't be possible).

[1] https://github.com/openshift/cluster-monitoring-operator/blob/625f9341aaa0f74b84dfc5cc132a83305cb97432/assets/thanos-querier/kube-rbac-proxy-secret.yaml#L14-L18
Comment 6 Debarati Basu-Nag 2021-06-29 20:37:53 UTC 
Please note: I am currently waiting on a 4.8 cluster to verify output of `oc auth can-i get namespaces/default --all-namespaces`. I will update this bug, as soon as I can collect that information.
Comment 7 Samuel Padgett 2021-06-29 20:49:02 UTC 
Based on comment #5, it looks like we check specifically for pod access. I'd check

$ oc auth can-i get pods -n default
Comment 8 Debarati Basu-Nag 2021-06-30 20:41:10 UTC 
Here is the output:
(cnv-tests) [cnv-qe-jenkins@infra-debug1b-85zrr-executor cnv-tests]$ oc auth can-i get pods -n default --as=unprivileged-user
no
(cnv-tests) [cnv-qe-jenkins@infra-debug1b-85zrr-executor cnv-tests]$ 

Please note: With further triaging on this, I was able to isolate the issue to be only relevant to UI option to Impersonate a user. This may not be just applicable to `key metrics` however. This is reproducible consistently on firefox and chrome -only with the following steps.
Create an unprivileged user
Steps:
1) login as kubeadmin
2) Open Administrator> User management> Users > Impersonate User unprivileged user
3) this loads the browser logged in as unprivileged user and switches to Developer perspective.
4) At this point open monitoring and note, we can not load "default" namespace - only option available for Projects dropdown is: "Openshift-virtualization-os-images".

Now go back to step 1 by logging out and re-login as kubeadmin. Access "default" namespace as kubeadmin(Administrator>Administration>Namespaces>"default") and repeat steps 2-4, now I can see by default the monitoring page has Project "default" selected. From this point. I can make any key metrics query.


Will be attaching screenshots.

Also note: this works as expected, if instead of "Impersonate User", I actually login with the same user credentials.
Comment 11 Jan Fajerski 2021-07-01 06:45:02 UTC 
I agree this seems like a console issue.
Using `oc adm top pods` as a test I can confirm that an unprivileged user can not query metrics through the k8s API. Hitting the prometheus query interface directly requires an authorization token as well.

Reassigning to the console team.
Comment 12 Samuel Padgett 2021-07-01 12:29:08 UTC 
Impersonation does not work for metrics requests since it relies on the k8s API impersonation headers, and those aren't supported for Prometheus queries. I don't think we can fix this in console alone aside from maybe disabling all metrics when impersonation is active.

Note that there is no security exposure here since you're actually logged in as a user with authority to see those charts.
Comment 13 Andrew Pickering 2021-07-02 07:40:21 UTC 
In the admin console, we hide the whole "Monitoring" section from the sidebar, so I think this is just a UX issue for the dev console. Perhaps the dev console should also hide some of those links from the navigation?
Comment 14 Krzysztof Majcher 2021-08-03 08:32:33 UTC 
Can we get an update from the Dev Console team please?
Comment 25 Krzysztof Majcher 2022-04-11 16:46:06 UTC 
Thanks Samuel. Christian, when can I expect this bug to be fixed?
Comment 31 Krzysztof Majcher 2022-07-18 08:02:43 UTC 
Hi, I assume this won't be addressed in 4.11?
Please update the target release.
Comment 32 Debarati Basu-Nag 2022-07-30 02:36:59 UTC 
I have not been able to reproduce this issue against 4.11 cluster. As vikram mentioned, as an unprivileged user, I am no longer able to see metrics options.
Comment 33 Christoph Jerolimov 2022-09-19 07:24:42 UTC 
Based on the comments this is fixed in 4.11.

@viraj can you add a PR link to this ticket?

@dbasunag Is there a need to backport this to 4.10 or 4.9?

I close this, for now, please let us know if some additional info or steps are needed from our side.
Comment 34 Vikram Raj 2022-09-20 08:29:17 UTC 
Looks like it has been fixed by this PR https://github.com/openshift/console/pull/9362
Comment 36 Mike Fiedler 2022-09-22 16:50:59 UTC 
Marking verified in 4.11.6 per comment 32
Comment 38 errata-xmlrpc 2022-09-28 05:57:37 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.11.6 bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:6659
Comment 39 Red Hat Bugzilla 2023-09-18 00:27:43 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days