Uploaded image for project: 'OpenShift Logging'
  1. OpenShift Logging
  2. LOG-4656

403 error on api/prometheus/api/v1/rules request for non-admin user

XMLWordPrintable

    • False
    • None
    • False
    • NEW
    • OBSDA-115 - Create alerting rules based on logs
    • NEW
    • Bug Fix

      Description of problem: 403 error on api/prometheus/api/v1/rules for non-admin user.

      Request URL:
      https://console-openshift-console.apps.kbharti-1016b.qe.devcluster.openshift.com/api/prometheus/api/v1/rules

      Response Header

      HTTP/1.1 403 Forbidden
content-security-policy: sandbox;
content-type: text/html; charset=utf-8
date: Mon, 16 Oct 2023 13:36:57 GMT
referrer-policy: strict-origin-when-cross-origin
set-cookie: _oauth_proxy=; Path=/; Domain=thanos-querier.openshift-monitoring.svc; Expires=Mon, 16 Oct 2023 12:36:57 GMT; HttpOnly; Secure
x-content-security-policy: sandbox;
x-content-type-options: nosniff
x-dns-prefetch-control: off
x-frame-options: DENY
x-xss-protection: 1; mode=block
transfer-encoding: chunked

      Request Header

      GET /api/prometheus/api/v1/rules HTTP/1.1
Accept: application/json
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Connection: keep-alive
Cookie: openshift-session-token=<hidden>; sat_prevInternalCampaign=; s_ecid=MCMID%7C02647460334146056252143278105176572395; rh_common_id=e34c4c98-cfe6-4c6a-90dd-31e16305708a; ELOQUA=GUID=2281B9416A27440F9884115FB21B7C57; dtm_prevProp=issues.redhat.com%7Cissues.redhat.com%7Cissues.redhat.com%7Cissues.redhat.com%7Cissues.redhat.com; rh_omni_tc=701f2000001Css5AAC; AMCV_945D02BE532957400A490D4C%40AdobeOrg=179643557%7CMCMID%7C02647460334146056252143278105176572395%7CMCAAMLH-1697710299%7C7%7CMCAAMB-1697710299%7CRKhpRz8krg2tLO6pguXWp5olkAcUniQYPHaMWWgdJ3xzPWQmdj0y%7CMCOPTOUT-1697112699s%7CNONE%7CMCAID%7CNONE%7CvVersion%7C5.5.0%7CMCIDTS%7C19643; 1e2670d92730b515ce3a1bb65da45062=8a2996680f066b6f71bf84d397bd51eb; login-state=e3913d8e; csrf-token=1RUOl+As3hk+KSgkXfHhUq1Lj2uvaFQXc448laGiAFBUx+Kp8ZuVcnnPpz35XsSTnyjun0vnx1DXmUwYRNeKVA==
Host: console-openshift-console.apps.kbharti-1016b.qe.devcluster.openshift.com
Referer: https://console-openshift-console.apps.kbharti-1016b.qe.devcluster.openshift.com/dev-monitoring/ns/my-app/alerts
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
X-Cluster: local-cluster
sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "macOS"

      Version: Logging 5.8 deployed on OCP 4.14

      How reproducible: Always

      Steps to Reproduce:
      a) Deploy Logging 5.8.0
      b) Forward logs to default Loki
      c) Create a namespace and an app with testuser-0 regular user. Create AlertingRule with the user.
      d) Add cluster-monitoring-view, monitoring-rules-edit roles to the regular user
      e) Login with regular user and check for firing alert under Dev-console. Alert can be seen but 403 under api/prometheus/api/v1/rules

      Actual results: No error on API calls

      Expected results: 403 error on api/prometheus/api/v1/rules request

      Additional info:
      Console Screen attached

        1. Screenshot 2023-10-16 at 7.38.16 PM.png
          Screenshot 2023-10-16 at 7.38.16 PM.png
          430 kB

            gbernal@redhat.com Gabriel Bernal
            rhn-support-kbharti Kabir Bharti
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated: