Bug 2030630 - 400 Bad Request error for some queries for the non admin user
Summary: 400 Bad Request error for some queries for the non admin user
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Monitoring
Version: 4.9
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: 4.9.z
Assignee: Jan Fajerski
QA Contact: Junqi Zhao
URL:
Whiteboard:
Depends On: 2024199
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-12-09 10:45 UTC by Jan Fajerski
Modified: 2022-03-29 07:16 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 2024199
Environment:
Last Closed: 2022-03-29 07:16:22 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift cluster-monitoring-operator pull 1538 0 None open Bug 2030630: jsonnet: update kube-prometheus and kubernetes-mixin 2022-01-18 15:11:23 UTC
Red Hat Product Errata RHBA-2022:1022 0 None None None 2022-03-29 07:16:38 UTC

Comment 1 Junqi Zhao 2022-01-20 04:40:14 UTC
tested with the PR, still see the error, see from the picture.

Comment 3 Vikram Raj 2022-01-20 09:13:45 UTC
Hi @juzhao, UI cherry-pick PR to 4.9.z is not yet merged. I think that is the reason you are still getting Forbidden errors in the Developer perspective Observe dashboard. BZ ticket for 4.9.z UI changes is https://bugzilla.redhat.com/show_bug.cgi?id=2026414

Comment 4 Jan Fajerski 2022-01-20 09:59:16 UTC
The prometheus oauth-proxy container logs the following:

2022/01/20 09:50:08 provider.go:515: Permission denied for pm1 for check {"resource":"namespaces","scopes":[],"verb":"get"}
2022/01/20 09:50:08 oauthproxy.go:650: 10.131.0.9:58512 Permission Denied: user is unauthorized when redeeming token
2022/01/20 09:50:08 oauthproxy.go:445: ErrorPage 403 Permission Denied Invalid Account

Afaiu that is the correct behavior a user needs to be authorized to GET namespace resources.

Comment 5 Junqi Zhao 2022-01-21 02:06:27 UTC
(In reply to Vikram Raj from comment #3)
> Hi @juzhao, UI cherry-pick PR to 4.9.z is not yet merged. I think
> that is the reason you are still getting Forbidden errors in the Developer
> perspective Observe dashboard. BZ ticket for 4.9.z UI changes is
> https://bugzilla.redhat.com/show_bug.cgi?id=2026414

we are testing with the PR, not test with the nightly payload which include the fix

Comment 6 Jan Fajerski 2022-03-18 09:48:29 UTC
@juzhao Can you please check again with a user that has GET priviliges on namespaces. This should get you past the permission check 2022/01/20 09:50:08 provider.go:515: Permission denied for pm1 for check {"resource":"namespaces","scopes":[],"verb":"get"}

Comment 13 errata-xmlrpc 2022-03-29 07:16:22 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.9.26 bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:1022


Note You need to log in before you can comment on or make changes to this bug.