Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-14322

Excessive permissions in web-console impersonating a user

    XMLWordPrintable

Details

    • +
    • Important
    • No
    • False
    • Hide

      None

      Show
      None
    • Hide
      * Previously, the console was granting permission to impersonating users who did not have permission to view logs when impersonating. With this update, impersonation access to logs is correctly applied. (link:https://issues.redhat.com/browse/OCPBUGS-14322[*OCPBUGS-14322*)
      Show
      * Previously, the console was granting permission to impersonating users who did not have permission to view logs when impersonating. With this update, impersonation access to logs is correctly applied. (link: https://issues.redhat.com/browse/OCPBUGS-14322 [* OCPBUGS-14322 *)
    • Bug Fix
    • Done

    Description

      Description of problem:

      Excessive permissions in web-console impersonating a user

      Version-Release number of selected component (if applicable):

      4.10.55

      How reproducible:

       when trying to impersonate a specific user ('99GU8710') in an OCP 4.10.55 cluster, we are able to see pods and logs in web console and that user is unable to access these things using the command line.

      Steps to Reproduce:

      1. Create a user with LDAP (example: new_user)
2. Don't give user access to check pod logs for openhshift related namespaces ( For example: new_user should not be able to see pod logs for openhsift-apiserver)
3. Try to impersonate the user (new_user)
4. Try to check openshift-apiserver pod logs through command line( you will be able to see those)
5. Try to check the same logs from command line for new_user , you won't be able to see it.

       

      Actual results:

      `Impersonate the user` feature doesn't give correct validation

      Expected results:

      We should not be able to see pod logs if user does not have permission

      Additional info:

       

      Attachments

        Issue Links

          blocks

          Bug - A problem that impairs or prevents the functions of the product. OCPBUGS-19898 Excessive permissions in web-console impersonating a user

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed
          is cloned by

          Bug - A problem that impairs or prevents the functions of the product. OCPBUGS-19898 Excessive permissions in web-console impersonating a user

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed
          links to

          GitHub openshift/console#13196: OCPBUGS-14322: fix ResourceLog permissions when impersonating

          Web Link RHEA-2023:7198 rpm

          Activity

            People

              rhn-engineering-rhamilto Robb Hamilton
              rhn-support-vismishr Vishvranjan Mishra
              Xiyun Zhao Xiyun Zhao
              Votes:
              0 Vote for this issue
              Watchers:
              11 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: