Loading...

XML

Word

Printable

Type: Epic
Resolution: Done
Priority: Critical
Fix Version/s: None
Affects Version/s: None
Labels:
- 4.16-candidate

Epic Name:
Investigate reducing permissions to anonymous user
Work Type:
BU Product Work
Blocked:
False
Blocked Reason:
None
Ready:
False
Color Status:
Not Selected
Epic Status:
To Do
Feature Link:
OCPSTRAT-1378 - Reduced the permissions for anonymous users and groups
Parent Link:
OCPSTRAT-1378Reduced the permissions for anonymous users and groups
Hierarchy Progress Bar:

0% To Do, 0% In Progress, 100% Done
Release Note Type:
Removed Functionality
Target Version:

openshift-4.16

SFDC Cases Links:
SFDC Cases Counter:
SFDC Cases Open:

Intelligence Requested:
Market:

RedHat allows following roles for system:anonymous user and system:unauthenticated group:

oc get clusterrolebindings -o json | jq '.items[] | select(.subjects[]?.kind

== "Group" and .subjects[]?.name == "system:unauthenticated") |

.metadata.name' | uniq

Returns what unauthenticated users can do, which is the following:

"self-access-reviewers"

"system:oauth-token-deleters"

"system:openshift:public-info-viewer"

"system:public-info-viewer"

"system:scope-impersonation"

"system:webhooks"

Customers would like to minimize the allowed permissions to unauthenticated groups and users.

Workaround available: Gating the access with policy engines

Outcome: Minimize the allowed roles for unauthenticated access

Goals of spike:

Investigate impact of disabling the roles listed above for new and existing clusters
Document risks and feasibility

causes

OCPBUGS-33453 Need auth to access public images

Closed

is blocked by

OCPBUGS-33378 Builds TestWebhook failed on step testing unauthenticated forbidden on upgrade

Closed

is related to

OCPBUGS-33041 Anonymous Users Cannot Trigger BuildConfig Webhooks

Closed

relates to

RFE-5312 Minimize permissions for unauthenticated user access to apiserver

Accepted

links to

[MSTR-1130] Management Console logout fails to invalidate the token if there is no clusterrolebinding/system:oauth-token-deleters which is deprecated and to be future removed by the enhancement doc

openshift/cluster-image-registry-operator#1046: OCPBUGS-33453: add SAR capability to image-registry

openshift/image-registry#400: OCPBUGS-33453: Use SAR instead of SSAR [wip]

openshift/image-registry#402: OCPBUGS-33453: Use SAR instead of SSAR

openshift/openshift-apiserver#423: AUTH-509: remove unauthenticated group from any cluster role binding

openshift/openshift-docs#75133: [WIP] AUTH-509: add unauth grp restore

openshift/openshift-docs#75173: [DOCS] AUTH-509 Reducing permissions for unauthenticated users for apiserver access

openshift/openshift-docs#77075: OSDOCS-10363 RN for AUTH-509

openshift/openshift-docs#77918: [enterprise-4.16] [DOCS] AUTH-509 Reducing permissions for unauthenticated users for apiserver access

openshift/openshift-tests-private#16383: OCPQE-21339: fix OCP-49757 failure specific for 4.16 due to AUTH-509

openshift/openshift-tests-private#16594: Update 48959 to match AUTH-509 for 4.16

openshift/origin#28686: AUTH-509: Remove `system:anonymous` test cases

(11 links to)

Assignee:: Krzysztof Ostrowski

Reporter:: Anjali Telang

QA Contact:: Deepak Punia (Inactive)

Doc Contact:: Andrea Hoffer

Votes:: 0 Vote for this issue

Watchers:: 7 Start watching this issue

Created:: 2024/03/20 6:09 PM

Updated:: 2024/09/04 9:45 PM

Resolved:: 2024/06/11 9:02 AM