Uploaded image for project: 'OpenShift Monitoring'
  1. OpenShift Monitoring
  2. MON-3933

Discrepancy when view metrics with non cluster-admin user using CLI and GUI

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Not a Bug
    • Icon: Undefined Undefined
    • None
    • None
    • Console
    • None
    • False
    • None
    • False
    • NEW
    • NEW

      1. Created user using IDP htpasswd.

      2. Login cluster with test user:

      oc login -u user
Console URL: https://api.example.com:6443/console
Authentication required for https://api.example.com:6443 (openshift)
Username: user
Password: 
Login successful.
You don't have any projects. You can try to create a new project, by running
    oc new-project <projectname>

       

       

      3. Created user namespace 'usernamespace' and deployed applications in the user namespace:

       

      $ oc new-project usernamespace
Now using project "usernamespace" on server "https://api.example.com:6443".
[\u@\h \W ]$ oc new-app rails-postgresql-example

       

       

      4. Trying to curl prometheus-k8s/thanos querier route endpoint to get query for user namespace application CPU usage and getting Forbidden error:

       

      $ curl -k -H "Authorization: Bearer $(oc whoami -t)" -sG --data-urlencode \
'query=sum(rate(container_cpu_usage_seconds_total{namespace="hollynamespace"}[5m])) BY (namespace, pod, container)' \
https://prometheus-k8s-openshift-monitoring.apps.hollytest.ecll.s1.devshift.org/api/v1/query \
| sed 's/{\"metric\"/\n{\"metric\"/g' \
| sed 's/\[//g' | sed 's/\]//g' | sed 's/"//g' | sed 's/,$//g' \
| sed 's/{//g' | sed 's/}//g'
Forbidden (user=user, verb=get, resource=prometheuses, subresource=api)
$ curl -k -H "Authorization: Bearer $(oc whoami -t)" -sG --data-urlencode \                                      'query=sum(rate(container_cpu_usage_seconds_total{namespace="hollynamespace"}[5m])) BY (namespace, pod, container)' \
https://thanos-querier-openshift-monitoring.apps.example.com/api/v1/query \
| sed 's/{\"metric\"/\n{\"metric\"/g' \
| sed 's/\[//g' | sed 's/\]//g' | sed 's/"//g' | sed 's/,$//g' \
| sed 's/{//g' | sed 's/}//g'
Forbidden (user=user, verb=get, resource=prometheuses, subresource=api)

       
      5. Logged in console with test user, selected user namespace to view metrics in Observe.
      Enter custom query the same as above and can see metrics display.
      (attached screenshot 'holly GUI view')

       

      ASK:
      1. The behavior for same user in CLI and GUI when it comes to same query in the same namespace is different, is it a bug?

      2. As CLI and GUI are accessing different endpoints, what's their difference.

      CLI: 
prometheus-k8s-openshift-monitoring.apps.hollytest.ecll.s1.devshift.org/api/v1/query

GUI:
https://console-openshift-console.apps.example.com/api/prometheus-tenancy/api/v1/query?namespace=hollynamespace&query=sum%28rate%28container_cpu_usage_seconds_total%7Bnamespace%3D%22hollynamespace%22%7D%5B5m%5D%29%29+BY+%28namespace%2C+pod%2C+container%29
Request Method:
GET
Status Code:
200 OK

        1. holly GUI view.png
          holly GUI view.png
          275 kB

              Unassigned Unassigned
              rhn-support-hqiao Holly Qiao
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: