Uploaded image for project: 'OpenShift Logging'
  1. OpenShift Logging
  2. LOG-6892

loki-gateway does not enforce fine-grained authorization on /series endpoint

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • Logging 6.3.0
    • Logging 6.0.5, Logging 6.1.3, Logging 6.2.0, Logging 6.3.0
    • Log Storage
    • 2
    • False
    • Hide

      None

      Show
      None
    • False
    • NEW
    • VERIFIED
    • Hide
      Before this loki-gateway was not enforcing fine-grained authorization on the endpoint "/series" for the tenant "application". Now loki-gateway correctly enforces fine-grained authorization for the "/series" endpoint for "application"
      Show
      Before this loki-gateway was not enforcing fine-grained authorization on the endpoint "/series" for the tenant "application". Now loki-gateway correctly enforces fine-grained authorization for the "/series" endpoint for "application"
    • Bug Fix
    • Log Storage - Sprint 268, Log Storage - Sprint 269, Log Storage - Sprint 270, Log Storage - Sprint 271
    • Important

      Through a Slack discussion we discovered that the current implementation of loki-gateway (observatorium/api) is not correctly enforcing authorization policies on the "/series" endpoint. Allowing to get stream metadata information from any log stream.

      This is happens as the "/series" endpoint uses "match" instead of "query" to filter which series metadata should be returned to the request.

      observatorium/api should fixed to have into consideration this difference and inherently correctly enforce authorization policies.

              jmarcal@redhat.com Joao Marcal
              jmarcal@redhat.com Joao Marcal
              Kabir Bharti
              Votes:
              1 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: