Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Done
Priority: Normal
Fix Version/s: Logging 5.7.2
Affects Version/s: Logging 5.6.2
Component/s: Log Storage
Labels:
- NeedTestCases
- devel_ack+

Blocked:
False
Blocked Reason:
None
Ready:
False
Docs QE Status:
NEW
QE Status:
NEW
Release Note Text:
Before this update, the lokistack-gateway returns label values regardless the namespace access rights of a user. With this update, the lokistack-gateway applies filters on label values requests resolving the issue.
Release Note Type:
Bug Fix
Git Pull Request:
https://github.com/grafana/loki/pull/8824, https://github.com/grafana/loki/pull/8960, https://github.com/grafana/loki/pull/8961, https://github.com/observatorium/api/pull/481

Sprint:
Log Storage - Sprint 236

SFDC Cases Links:
SFDC Cases Counter:

Description

Description of problem:

With an normal user that have limit access to some application namspaces in OpenShift I can query labels from all Namespaces via loki query endpoint.

Version-Release number of selected component (if applicable):

5.6.2

How reproducible:

Unconfirmed

Steps to Reproduce:

$ oc login --token=****** --server=https://api.example.com:6443
Logged into "https://api.example.com:6443" as "myuser" using the token provided.

You have access to the following projects and can switch between them with 'oc project <projectname>':

project1
project2
...

## User 'myuser' have permission to 16 namespaces
$ oc get projects --no-headers | wc -l
16


## QUERY Data/Labels via Logcli

## logcli login via oc token
$ export LOKI_ADDR=https://logging-loki-openshift-logging.apps.example.com/api/logs/v1/application
$ export LOKI_BEARER_TOKEN=$(oc whoami -t)

## list lables
$ logcli labels
2023/01/05 16:43:57 https://logging-loki-openshift-logging.apps.example.com/api/logs/v1/application/loki/api/v1/labels?end=1672933437341483502&start=1672929837341483502
fluentd_thread
kubernetes_container_name
kubernetes_host
kubernetes_namespace_name
kubernetes_pod_name
log_type
tag

## Get labels
$ logcli labels
2023/02/23 20:02:05 https://logging-loki-openshift-logging.apps.example.com/api/logs/v1/application/loki/api/v1/labels?end=1677178925120970400&start=1677175325120970400
fluentd_thread
kubernetes_container_name
kubernetes_host
kubernetes_namespace_name
kubernetes_pod_name
log_type

## List all namespaces label values from the Cluster
$ logcli labels kubernetes_namespace_name
2023/02/23 20:02:15 https://logging-loki-openshift-logging.apps.example.com/api/logs/v1/application/loki/api/v1/label/kubernetes_namespace_name/values?end=1677178935787035238&start=1677175335787035238

<lists every namespace in cluster>

Expected results:

Loki should not provide all namespaces

Additional info:

Possibly related issue was fixed in a recent version: https://issues.redhat.com/browse/LOG-2880

Attachments

Issue Links

clones

LOG-3728 [release-5.6] User can list labels and label values for all user workload namespaces via Loki Label APIs

Closed

links to

openshift/openshift-docs#60918: OBSDOCS-218 - Logging 5.7.2 Release Notes

Activity

People

Assignee:: Periklis Tsirakidis

Reporter:: Steven Walter

QA Contact:: Anping Li

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 2023/05/09 7:15 AM

Updated:: 2023/06/22 7:30 PM

Resolved:: 2023/06/12 7:09 PM