Uploaded image for project: 'OpenShift Logging'
  1. OpenShift Logging
  2. LOG-4530

403 error on rules API when regular user checks for firing alerts

XMLWordPrintable

    • Log Storage - Sprint 242, Log Storage - Sprint 243

      Description
      Getting 403 Forbidden error when regular user checks for Alerts on Dev console

      Request URL
      https://console-openshift-console.apps.kbharti-0918c.qe.devcluster.openshift.com/api/proxy/plugin/logging-view-plugin/backend/api/logs/v1/application/prometheus/api/v1/rules?kubernetes_namespace_name=my-app

      Here testuser-0 owns the my-app namespace and has created alerting rule for the app running on the namespace. The alert can be seen firing under Dev-console for cluster-admin user but not for the regular user (testuser-0)

      $ oc projects
You have one project on this server: "my-app".
Using project "my-app" on server "https://api.kbharti-0918c.qe.devcluster.openshift.com:6443".
$ oc get pods
NAME                   READY   STATUS    RESTARTS   AGE
centos-logtest-j4ww2   1/1     Running   0          5h11m
$ oc get alertingrules
NAME                  AGE
dev-workload-alerts   5h11m

      Steps to reproduce:
      a) Deploy Logging 5.8.0
      b) Forward logs to default Loki
      c) Create a namespace and an app with testuser-0 regular user. Create Alertingrule defined now with the user.
      d) Add cluster-monitoring-view, monitoring-rules-edit roles to the regular user
      e) Login with cluster-admin and check for alerts under Dev-console. Alerts can be seen.
      f) Login with regular user and check for firing alert under Dev-console. 403 error on rules API

      How reproducible: Always

      Actual Result: Regular should be able to see the firing alert

      Expected Result: User gets 403 unauthorized error on Dev-console

      Version:
      OCP 4.14, Logging 5.8.0

      AlertingRule.yaml

      apiVersion: loki.grafana.com/v1
kind: AlertingRule
metadata:
  labels:
    openshift.io/cluster-monitoring: 'true'
  name: dev-workload-alerts
  namespace: my-app
spec:
  groups:
    - interval: 1m
      name: devAppAlert
      rules:
        - alert: DevAppLogVolumeIsHigh
          annotations:
            description: My application has high amount of logs.
            summary: project "my-app" log volume is high.
          expr: >
            count_over_time({kubernetes_namespace_name="my-app"}[2m])
            > 10
          for: 5m
          labels:
            severity: info
            devApp: 'true'
  tenantID: application

      RBAC for regular user. User can see the logs on console successfully.

      kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: simple-user-application-logs
  namespace: my-app
  uid: e858eb60-6677-4401-919c-ed304b675569
  resourceVersion: '41606'
  creationTimestamp: '2023-09-18T11:02:41Z'
  managedFields:
    - manager: kubectl-create
      operation: Update
      apiVersion: rbac.authorization.k8s.io/v1
      time: '2023-09-18T11:02:41Z'
      fieldsType: FieldsV1
      fieldsV1:
        'f:roleRef': {}
        'f:subjects': {}
subjects:
  - kind: User
    apiGroup: rbac.authorization.k8s.io
    name: testuser-0
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-logging-application-view

      Screenshot for Dev-console attached.

        1. Screenshot 2023-09-18 at 9.23.25 PM.png
          489 kB
          Kabir Bharti
        2. Screenshot 2023-09-18 at 9.37.03 PM.png
          502 kB
          Kabir Bharti
        3. image-2023-10-09-16-48-02-990.png
          811 kB
          Joao Marcal
        4. Screenshot 2023-10-16 at 5.05.55 PM.png
          394 kB
          Kabir Bharti

              jmarcal@redhat.com Joao Marcal
              rhn-support-kbharti Kabir Bharti
              Kabir Bharti Kabir Bharti
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: