Uploaded image for project: 'Network Observability'
  1. Network Observability
  2. NETOBSERV-972

user authentication fails for non-kubeadmin users despite they're in cluster-admin groups

    • False
    • None
    • False
    • Hide
      Previously, when Network Observability was configured with "spec.loki.authToken" set to "DISABLED", a cluster administrator other than "kubeadmin" was not able to view network flows, getting authorization failure instead.

      Now, cluster adminitrators are able to view network flows as expected.
      Show
      Previously, when Network Observability was configured with "spec.loki.authToken" set to "DISABLED", a cluster administrator other than "kubeadmin" was not able to view network flows, getting authorization failure instead. Now, cluster adminitrators are able to view network flows as expected.
    • NetObserv - Sprint 234, NetObserv - Sprint 235, NetObserv - Sprint 236
    • Critical

      • Create a htpasswd IDP with users such as "testuser-0" etc.
      • Add "testuser-0" to cluster-admin or cluster-admins user group as:
        oc adm policy add-cluster-role-to-user cluster-admin testuser-0
        
      • Login using testuser-0
      • Deploy latest Downstream operator and 0-click loki , create flowcollector in netobserv NS with authToken: Disabled.
      • In Web console, navigate to Netflow traffic page, I am seeing queries are Unauthorized when logged in as testuser-0

      I verified users have cluster-admin role bindings, I tried assigning "cluster-admin" and "cluster-admins" role to the testuser-0 and also creating separate group and added testuser to that group and added cluster-admin role to the group but no luck, for e.g.:

      oc adm groups new mylocaladmins
      oc adm groups add-users mylocaladmins testuser-0
      oc adm policy add-cluster-role-to-group cluster-admin mylocaladmins
      


      in console plugin logs, I see:

      time="2023-03-31T18:03:55Z" level=debug msg="Checking auth: token found" module=handler.auth
      time="2023-03-31T18:03:55Z" level=debug msg="Checking authenticated user" module=handler.auth
      time="2023-03-31T18:03:55Z" level=debug msg="Checking auth: token found" module=handler.auth
      2023/03/31 18:03:55 http: TLS handshake error from 10.129.0.86:45846: EOF
      time="2023-03-31T18:03:55Z" level=debug msg="Checking authenticated user" module=handler.auth
      time="2023-03-31T18:03:55Z" level=debug msg="Checking auth: token found" module=handler.auth
      time="2023-03-31T18:04:09Z" level=debug msg="Checking authenticated user" module=handler.auth
      time="2023-03-31T18:04:09Z" level=debug msg="Checking auth: token found" module=handler.auth
      time="2023-03-31T18:04:09Z" level=debug msg="Checking authenticated user" module=handler.auth
      

        1. image-2023-03-31-14-05-36-430.png
          233 kB
          Mehul Modi
        2. image-2023-03-31-14-06-43-099.png
          161 kB
          Mehul Modi
        3. screenshot-1.png
          271 kB
          Mehul Modi

              jtakvori Joel Takvorian
              rhn-support-memodi Mehul Modi
              Mehul Modi Mehul Modi
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: