Uploaded image for project: 'OpenShift Logging'
  1. OpenShift Logging
  2. LOG-3877

Rules API returns rules for non-owned apps for non-admin user

XMLWordPrintable

    • False
    • None
    • False
    • NEW
    • VERIFIED
    • Hide
      Before this update, the Loki Rules API exposed rules owned by others non-admin users to any authenticated users caused unauthorized access to those roles and in turn informational disclosure. With this update, the LokiStack gateway exposes only a Rules API for application rules when the user provides the `kubernetes_namespace_name` query parameter resolves the issue.
      Show
      Before this update, the Loki Rules API exposed rules owned by others non-admin users to any authenticated users caused unauthorized access to those roles and in turn informational disclosure. With this update, the LokiStack gateway exposes only a Rules API for application rules when the user provides the `kubernetes_namespace_name` query parameter resolves the issue.
    • Bug Fix
    • Log Storage - Sprint 234, Log Storage - Sprint 235, Log Storage - Sprint 236, Log Storage - Sprint 237, Log Storage - Sprint 238

      Description: Non cluster admin application owner gets response for non-owned app alerting/recording rules when querying for owned rules through LokiRuler API.

      Logs:

      $ oc whoami
testuser-0
$ oc projects
You have one project on this server: "my-app-2".
Using project "my-app-2" on server "https://xxxxxx:6443"
$ curl "https://<lokistack-route>/api/logs/v1/application/loki/api/v1/rules" -H "Authorization: Bearer $(oc whoami -t)" -k | yq -o=yaml
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  1638  100  1638    0     0   6799      0 -::- -::- -::-  6796
my-app-1-my-workload-alerts-1-6bcc1113-c27d-4f9f-b109-607c39c28a0c.yaml:
  - name: HighAppLogsToLoki2m
    interval: 2m
    rules:
      - record: loki:operator:applogs:rate2m
        expr: |
          count_over_time({kubernetes_namespace_name="my-app-1"}[2m]) > 10
my-app-1-my-workload-alerts-1-a3e7f839-72bf-410d-b168-66dd791867b0.yaml:
  - name: MyApplication
    interval: 1m
    rules:
      - alert: MyApp1LogVolumeIsHigh
        expr: |
          count_over_time({kubernetes_namespace_name="my-app-1"}[2m]) > 10
        for: 5m
        labels:
          project: my-app-1
          severity: warning
          tenantId: application
        annotations:
          description: My application 1 has high amount of logs.
          summary: Application volume 1 is high.
my-app-2-my-workload-alerts-2-98073eaf-44f5-48ee-a39c-3ca01c525f8b.yaml:
  - name: HighAppLogsToLoki2m
    interval: 2m
    rules:
      - record: loki:operator:applogs:rate2m
        expr: |
          count_over_time({kubernetes_namespace_name="my-app-2"}[2m]) > 10
my-app-2-my-workload-alerts-2-fe6a0f03-f925-4b77-9b8d-8a5f57fc7f5e.yaml:
  - name: MyApplication
    interval: 1m
    rules:
      - alert: MyApplication2LogVolumeIsHigh
        expr: |
          count_over_time({kubernetes_namespace_name="my-app-2"}[2m]) > 10
        for: 5m
        labels:
          project: my-app-2
          severity: warning
          tenantId: application
        annotations:
          description: My application 2 has high amount of logs.
          summary: Application 2 volume is high.

      Version:
      Logging 5.7
      OCP 4.13

      How reproducible: 
      Always

      Setup: Deploy CLO and LO. Forward logs to Loki.

      Steps to Reproduce:
      a) Create application under a project having openshift.io/cluster-monitoring: "true" label.
      b) Create Loki alert and recording rules with non-cluster admin user.
      c) Query for rules using LokiRuler API

      Actual Result: 
      User should be alerting/recording rules that he created for the owned app.

      Expected Result:
      User can see the rules setup non-owned application alerting/recording rules.

              ptsiraki@redhat.com Periklis Tsirakidis
              rhn-support-kbharti Kabir Bharti
              Kabir Bharti Kabir Bharti
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: