Uploaded image for project: 'OpenShift Logging'
  1. OpenShift Logging
  2. LOG-3434

Elasticsearch authorization not working as expected with "auth can-i get pods/log"

XMLWordPrintable

    • False
    • None
    • False
    • NEW
    • NEW
    • Important

      Description of problem:

      According to Access Control we are running oc auth can-i get pods/log -n default to validate whether somebody is a OpenShift Container Platform 4 - Cluster administrator. But oc auth can-i get pods/log -n default only provides knowledge whether the user executing it can get the name of the resource but nothing about accessing logs. Meaning, ClusterRole that can see pods but is not allowed to view logs, still gets to see all logs in kibana which is not correct (as both, oc logs ... and OpenShift Container Platform 4 - Console deny access to logs).

      To properly validate this, oc auth can-i get pods --subresource=log would need to be run as this would tell elasticsearch whether the user is really allowed to view logs or rather not.

      Since the behavior between plain OpenShift Container Platform 4 and Kibana is not the same, this is exposing problems (even security related) as it grants somebody access to logs it should not have according to the RBAC.

      Version-Release number of selected component (if applicable):

      • OpenShift Container Platform 4
      • OpenShift Container Platform 4 - Cluster Logging 5

      How reproducible:

      • Always

      Steps to Reproduce:

      1. Install OpenShift Container Platform 4 with OpenShift Container Platform 4 - Cluster Logging 5
      2. Create a copy of ClusterRole called cluster-reader and remove pods/log from the newly created ClusterRole
      3. Assign a user the new ClusterRole using {{oc adm policy add-cluster-role-to-user <new-clusterrole> <user>

      Actual results:

      $ kubectl auth can-i get pods/log -n project-serverless
yes

      $ kubectl auth can-i get pods --subresource=log -n project-serverless
no

      $ kubectl logs curl-6857dfb9c-mqv5f -n project-serverless
Error from server (Forbidden): pods "curl-6857dfb9c-mqv5f" is forbidden: User "user1" cannot get resource "pods/log" in API group "" in the namespace "project-serverless"

      But in Kibana logs are visible for pod curl-6857dfb9c-mqv5f with the user user1 (in this example).

      Expected results:

      $ kubectl auth can-i get pods/log -n project-serverless 
yes

      $ kubectl auth can-i get pods --subresource=log -n project-serverless
no

      $ kubectl logs curl-6857dfb9c-mqv5f -n project-serverless
Error from server (Forbidden): pods "curl-6857dfb9c-mqv5f" is forbidden: User "user1" cannot get resource "pods/log" in API group "" in the namespace "project-serverless"

      Kibana should not show logs for pod curl-6857dfb9c-mqv5f or any of the namespace, the command kubectl auth can-i get pods --subresource=log is returning no.

      Additional info:

              Unassigned Unassigned
              rhn-support-sreber Simon Reber
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: