-
Bug
-
Resolution: Unresolved
-
Normal
-
Logging 5.8.0
-
False
-
None
-
False
-
NEW
-
OBSDA-115 - Create alerting rules based on logs
-
NEW
-
Bug Fix
-
-
Description of problem: 403 error on api/prometheus/api/v1/rules for non-admin user.
Request URL:
https://console-openshift-console.apps.kbharti-1016b.qe.devcluster.openshift.com/api/prometheus/api/v1/rules
Response Header
HTTP/1.1 403 Forbidden content-security-policy: sandbox; content-type: text/html; charset=utf-8 date: Mon, 16 Oct 2023 13:36:57 GMT referrer-policy: strict-origin-when-cross-origin set-cookie: _oauth_proxy=; Path=/; Domain=thanos-querier.openshift-monitoring.svc; Expires=Mon, 16 Oct 2023 12:36:57 GMT; HttpOnly; Secure x-content-security-policy: sandbox; x-content-type-options: nosniff x-dns-prefetch-control: off x-frame-options: DENY x-xss-protection: 1; mode=block transfer-encoding: chunked
Request Header
GET /api/prometheus/api/v1/rules HTTP/1.1 Accept: application/json Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Connection: keep-alive Cookie: openshift-session-token=<hidden>; sat_prevInternalCampaign=; s_ecid=MCMID%7C02647460334146056252143278105176572395; rh_common_id=e34c4c98-cfe6-4c6a-90dd-31e16305708a; ELOQUA=GUID=2281B9416A27440F9884115FB21B7C57; dtm_prevProp=issues.redhat.com%7Cissues.redhat.com%7Cissues.redhat.com%7Cissues.redhat.com%7Cissues.redhat.com; rh_omni_tc=701f2000001Css5AAC; AMCV_945D02BE532957400A490D4C%40AdobeOrg=179643557%7CMCMID%7C02647460334146056252143278105176572395%7CMCAAMLH-1697710299%7C7%7CMCAAMB-1697710299%7CRKhpRz8krg2tLO6pguXWp5olkAcUniQYPHaMWWgdJ3xzPWQmdj0y%7CMCOPTOUT-1697112699s%7CNONE%7CMCAID%7CNONE%7CvVersion%7C5.5.0%7CMCIDTS%7C19643; 1e2670d92730b515ce3a1bb65da45062=8a2996680f066b6f71bf84d397bd51eb; login-state=e3913d8e; csrf-token=1RUOl+As3hk+KSgkXfHhUq1Lj2uvaFQXc448laGiAFBUx+Kp8ZuVcnnPpz35XsSTnyjun0vnx1DXmUwYRNeKVA== Host: console-openshift-console.apps.kbharti-1016b.qe.devcluster.openshift.com Referer: https://console-openshift-console.apps.kbharti-1016b.qe.devcluster.openshift.com/dev-monitoring/ns/my-app/alerts Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 X-Cluster: local-cluster sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "macOS"
Version: Logging 5.8 deployed on OCP 4.14
How reproducible: Always
Steps to Reproduce:
a) Deploy Logging 5.8.0
b) Forward logs to default Loki
c) Create a namespace and an app with testuser-0 regular user. Create AlertingRule with the user.
d) Add cluster-monitoring-view, monitoring-rules-edit roles to the regular user
e) Login with regular user and check for firing alert under Dev-console. Alert can be seen but 403 under api/prometheus/api/v1/rules
Actual results: No error on API calls
Expected results: 403 error on api/prometheus/api/v1/rules request
Additional info:
Console Screen attached