Uploaded image for project: 'OpenShift Logging'
  1. OpenShift Logging
  2. LOG-3877

Rules API returns rules for non-owned apps for non-admin user

    XMLWordPrintable

Details

    • False
    • None
    • False
    • NEW
    • VERIFIED
    • Hide
      Before this update, the Loki Rules API exposed rules owned by others non-admin users to any authenticated users caused unauthorized access to those roles and in turn informational disclosure. With this update, the LokiStack gateway exposes only a Rules API for application rules when the user provides the `kubernetes_namespace_name` query parameter resolves the issue.
      Show
      Before this update, the Loki Rules API exposed rules owned by others non-admin users to any authenticated users caused unauthorized access to those roles and in turn informational disclosure. With this update, the LokiStack gateway exposes only a Rules API for application rules when the user provides the `kubernetes_namespace_name` query parameter resolves the issue.
    • Bug Fix
    • Log Storage - Sprint 234, Log Storage - Sprint 235, Log Storage - Sprint 236, Log Storage - Sprint 237, Log Storage - Sprint 238

    Description

      Description: Non cluster admin application owner gets response for non-owned app alerting/recording rules when querying for owned rules through LokiRuler API.

      Logs:

      $ oc whoami
testuser-0
$ oc projects
You have one project on this server: "my-app-2".
Using project "my-app-2" on server "https://xxxxxx:6443"
$ curl "https://<lokistack-route>/api/logs/v1/application/loki/api/v1/rules" -H "Authorization: Bearer $(oc whoami -t)" -k | yq -o=yaml
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  1638  100  1638    0     0   6799      0 -::- -::- -::-  6796
my-app-1-my-workload-alerts-1-6bcc1113-c27d-4f9f-b109-607c39c28a0c.yaml:
  - name: HighAppLogsToLoki2m
    interval: 2m
    rules:
      - record: loki:operator:applogs:rate2m
        expr: |
          count_over_time({kubernetes_namespace_name="my-app-1"}[2m]) > 10
my-app-1-my-workload-alerts-1-a3e7f839-72bf-410d-b168-66dd791867b0.yaml:
  - name: MyApplication
    interval: 1m
    rules:
      - alert: MyApp1LogVolumeIsHigh
        expr: |
          count_over_time({kubernetes_namespace_name="my-app-1"}[2m]) > 10
        for: 5m
        labels:
          project: my-app-1
          severity: warning
          tenantId: application
        annotations:
          description: My application 1 has high amount of logs.
          summary: Application volume 1 is high.
my-app-2-my-workload-alerts-2-98073eaf-44f5-48ee-a39c-3ca01c525f8b.yaml:
  - name: HighAppLogsToLoki2m
    interval: 2m
    rules:
      - record: loki:operator:applogs:rate2m
        expr: |
          count_over_time({kubernetes_namespace_name="my-app-2"}[2m]) > 10
my-app-2-my-workload-alerts-2-fe6a0f03-f925-4b77-9b8d-8a5f57fc7f5e.yaml:
  - name: MyApplication
    interval: 1m
    rules:
      - alert: MyApplication2LogVolumeIsHigh
        expr: |
          count_over_time({kubernetes_namespace_name="my-app-2"}[2m]) > 10
        for: 5m
        labels:
          project: my-app-2
          severity: warning
          tenantId: application
        annotations:
          description: My application 2 has high amount of logs.
          summary: Application 2 volume is high.

      Version:
      Logging 5.7
      OCP 4.13

      How reproducible: 
      Always

      Setup: Deploy CLO and LO. Forward logs to Loki.

      Steps to Reproduce:
      a) Create application under a project having openshift.io/cluster-monitoring: "true" label.
      b) Create Loki alert and recording rules with non-cluster admin user.
      c) Query for rules using LokiRuler API

      Actual Result: 
      User should be alerting/recording rules that he created for the owned app.

      Expected Result:
      User can see the rules setup non-owned application alerting/recording rules.

      Attachments

        Issue Links

          is related to

          Task - Represents a small unit of work that is not end-user facing. LOG-4209 Use Rules API to filter alerts/rules per namespace for application tenant

          • Normal - To be worked after urgent and high priorities are resolved. This term is chosen when the severity of an issue is relatively close to the level of effort to fix it. The existence of an easily implemented workaround can also lead to this priority level instead of a higher priority.
          • To Do
          links to

          GitHub openshift/loki#154: Update from upstream repository

          GitHub openshift/openshift-tests-private#9390: Automate cases for Loki Log Alerts (Epic: LOG-2688)

          Web Link RHBA-2023:6139 Logging Subsystem 5.8.0 - Red Hat OpenShift

          mentioned on

          GitLab Merge request - Updated US source to: 816f696 Merge pull request #154 from grafana/main

          Activity

            People

              ptsiraki@redhat.com Periklis Tsirakidis
              rhn-support-kbharti Kabir Bharti
              Kabir Bharti Kabir Bharti
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: