Bug 2034688 - Allow Prometheus/Thanos to return 401 or 403 when the request isn't authenticated
Summary: Allow Prometheus/Thanos to return 401 or 403 when the request isn't authentic...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Monitoring
Version: 4.9
Hardware: Unspecified
OS: Unspecified
low
medium
Target Milestone: ---
: 4.11.0
Assignee: Haoyu Sun
QA Contact: hongyan li
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-12-21 17:15 UTC by Haoyu Sun
Modified: 2022-08-10 10:41 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-08-10 10:41:05 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift origin pull 26695 0 None open WIP: Bug 2034688: allow Prometheus/Thanos to return 401 or 403 when the request isn't authenticated 2021-12-21 17:22:18 UTC
Red Hat Product Errata RHSA-2022:5069 0 None None None 2022-08-10 10:41:27 UTC

Description Haoyu Sun 2021-12-21 17:15:40 UTC 
Description of problem:
The openshift/origin test should allow Prometheus/Thanos to return 401 or 403 when the request isn't authenticated.

Version-Release number of selected component (if applicable):


How reproducible:
When CI testing the pull request https://github.com/openshift/cluster-monitoring-operator/pull/1512, the test results of ci/prow/e2e-agnostic, the test "[sig-instrumentation] Prometheus when installed on the cluster should start and expose a secured proxy and unsecured metrics" fails incorrectly: 
This test of calling Thanos querier root URL without authentication should return 401 unauthorized instead of 403 forbidden. The test code sends a request using the curl command curl -k -s -o /dev/null -w 403 https://thanos-querier.openshift-monitoring.svc:9091 without providing any information for authentication. A response with status code 401 should be expected. Same goes for the test "[sig-instrumentation][sig-builds][Feature:Builds] Prometheus when installed on the cluster should start and expose a secured proxy and verify build metrics", too.


Actual results:
The test "[sig-instrumentation] Prometheus when installed on the cluster should start and expose a secured proxy and unsecured metrics" accept HTTP code 403 only.

Expected results:
The test "[sig-instrumentation] Prometheus when installed on the cluster should start and expose a secured proxy and unsecured metrics" accept both HTTP codes 401 and  403.
Comment 5 hongyan li 2022-03-21 07:00:57 UTC 
The change is about a e2e test, not related to product.

I accessed thanos-queries api without access and get 403. 401 is also ok for error code definition.
$ host=$(oc -n openshift-monitoring get route thanos-querier -ojsonpath={.spec.host})
$ curl -k -L -o /dev/null -w %{http_code} "https://$host/api/v1/stores"
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 85124    0 85124    0     0  54899      0 --:--:--  0:00:01 --:--:-- 55275
403

Tried with payload
4.11.0-0.nightly-2022-03-20-160505
Comment 9 errata-xmlrpc 2022-08-10 10:41:05 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: OpenShift Container Platform 4.11.0 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:5069
Note You need to log in before you can comment on or make changes to this bug.