Loading...

XML

Word

Printable

Type: Bug
Resolution: Done-Errata
Priority: Major
Fix Version/s: 4.15.0
Affects Version/s: 4.10.z
Component/s: Management Console
Labels:
- IMPERSO
- OPENSHIFT
- UI
- WebConsole
- cee.neXT

Test Coverage:

+
Severity:
Important
Regression:
No
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Release Note Text:

Hide
* Previously, the console was granting permission to impersonating users who did not have permission to view logs when impersonating. With this update, impersonation access to logs is correctly applied. (link:https://issues.redhat.com/browse/OCPBUGS-14322[*~~OCPBUGS-14322~~*)

Show
* Previously, the console was granting permission to impersonating users who did not have permission to view logs when impersonating. With this update, impersonation access to logs is correctly applied. (link: https://issues.redhat.com/browse/OCPBUGS-14322 [* OCPBUGS-14322 *)
Release Note Type:
Bug Fix
Release Note Status:
Done
Target Version:

4.15.0

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

PX Impact Score:
PX Priority Data:

Description of problem:

Excessive permissions in web-console impersonating a user

Version-Release number of selected component (if applicable):

4.10.55

How reproducible:

 when trying to impersonate a specific user ('99GU8710') in an OCP 4.10.55 cluster, we are able to see pods and logs in web console and that user is unable to access these things using the command line.

Steps to Reproduce:

1. Create a user with LDAP (example: new_user)
2. Don't give user access to check pod logs for openhshift related namespaces ( For example: new_user should not be able to see pod logs for openhsift-apiserver)
3. Try to impersonate the user (new_user)
4. Try to check openshift-apiserver pod logs through command line( you will be able to see those)
5. Try to check the same logs from command line for new_user , you won't be able to see it.

Actual results:

`Impersonate the user` feature doesn't give correct validation

Expected results:

We should not be able to see pod logs if user does not have permission

Additional info:

blocks

OCPBUGS-19898 Excessive permissions in web-console impersonating a user

Closed

is cloned by

OCPBUGS-19898 Excessive permissions in web-console impersonating a user

Closed

links to

openshift/console#13196: OCPBUGS-14322: fix ResourceLog permissions when impersonating

RHEA-2023:7198 rpm

Assignee:: Robb Hamilton

Reporter:: Vishvranjan Mishra

QA Contact:: Xiyun Zhao

Votes:: 0 Vote for this issue

Watchers:: 12 Start watching this issue

Created:: 2023/05/31 8:43 AM

Updated:: 2024/05/07 1:50 PM

Resolved:: 2024/02/27 8:58 PM

Details

Description

Attachments

Issue Links

Activity

People

Dates