-
Bug
-
Resolution: Done-Errata
-
Major
-
4.10.z
Description of problem:
Excessive permissions in web-console impersonating a user
Version-Release number of selected component (if applicable):
4.10.55
How reproducible:
when trying to impersonate a specific user ('99GU8710') in an OCP 4.10.55 cluster, we are able to see pods and logs in web console and that user is unable to access these things using the command line.
Steps to Reproduce:
1. Create a user with LDAP (example: new_user) 2. Don't give user access to check pod logs for openhshift related namespaces ( For example: new_user should not be able to see pod logs for openhsift-apiserver) 3. Try to impersonate the user (new_user) 4. Try to check openshift-apiserver pod logs through command line( you will be able to see those) 5. Try to check the same logs from command line for new_user , you won't be able to see it.
Actual results:
`Impersonate the user` feature doesn't give correct validation
Expected results:
We should not be able to see pod logs if user does not have permission
Additional info:
- blocks
-
OCPBUGS-19898 Excessive permissions in web-console impersonating a user
- Closed
- is cloned by
-
OCPBUGS-19898 Excessive permissions in web-console impersonating a user
- Closed
- links to
-
RHEA-2023:7198 rpm