Uploaded image for project: 'Network Observability'
  1. Network Observability
  2. NETOBSERV-972

user authentication fails for non-kubeadmin users despite they're in cluster-admin groups

XMLWordPrintable

    • False
    • None
    • False
    • Hide
      Previously, when Network Observability was configured with "spec.loki.authToken" set to "DISABLED", a cluster administrator other than "kubeadmin" was not able to view network flows, getting authorization failure instead.

      Now, cluster adminitrators are able to view network flows as expected.
      Show
      Previously, when Network Observability was configured with "spec.loki.authToken" set to "DISABLED", a cluster administrator other than "kubeadmin" was not able to view network flows, getting authorization failure instead. Now, cluster adminitrators are able to view network flows as expected.
    • NetObserv - Sprint 234, NetObserv - Sprint 235, NetObserv - Sprint 236
    • Critical

      • Create a htpasswd IDP with users such as "testuser-0" etc.
      • Add "testuser-0" to cluster-admin or cluster-admins user group as: 
        oc adm policy add-cluster-role-to-user cluster-admin testuser-0
      • Login using testuser-0
      • Deploy latest Downstream operator and 0-click loki , create flowcollector in netobserv NS with authToken: Disabled.
      • In Web console, navigate to Netflow traffic page, I am seeing queries are Unauthorized when logged in as testuser-0

      I verified users have cluster-admin role bindings, I tried assigning "cluster-admin" and "cluster-admins" role to the testuser-0 and also creating separate group and added testuser to that group and added cluster-admin role to the group but no luck, for e.g.:

      oc adm groups new mylocaladmins
oc adm groups add-users mylocaladmins testuser-0
oc adm policy add-cluster-role-to-group cluster-admin mylocaladmins


      in console plugin logs, I see:

      time="2023-03-31T18:03:55Z" level=debug msg="Checking auth: token found" module=handler.auth
time="2023-03-31T18:03:55Z" level=debug msg="Checking authenticated user" module=handler.auth
time="2023-03-31T18:03:55Z" level=debug msg="Checking auth: token found" module=handler.auth
2023/03/31 18:03:55 http: TLS handshake error from 10.129.0.86:45846: EOF
time="2023-03-31T18:03:55Z" level=debug msg="Checking authenticated user" module=handler.auth
time="2023-03-31T18:03:55Z" level=debug msg="Checking auth: token found" module=handler.auth
time="2023-03-31T18:04:09Z" level=debug msg="Checking authenticated user" module=handler.auth
time="2023-03-31T18:04:09Z" level=debug msg="Checking auth: token found" module=handler.auth
time="2023-03-31T18:04:09Z" level=debug msg="Checking authenticated user" module=handler.auth

        1. image-2023-03-31-14-05-36-430.png
          image-2023-03-31-14-05-36-430.png
          233 kB
        2. image-2023-03-31-14-06-43-099.png
          image-2023-03-31-14-06-43-099.png
          161 kB
        3. screenshot-1.png
          screenshot-1.png
          271 kB

              jtakvori Joel Takvorian
              rhn-support-memodi Mehul Modi
              Mehul Modi Mehul Modi
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: