Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-19898

Excessive permissions in web-console impersonating a user


    • Important
    • No
    • False
    • Hide



      This is a clone of issue OCPBUGS-14322. The following is the description of the original issue:

      Description of problem:

      Excessive permissions in web-console impersonating a user

      Version-Release number of selected component (if applicable):


      How reproducible:

       when trying to impersonate a specific user ('99GU8710') in an OCP 4.10.55 cluster, we are able to see pods and logs in web console and that user is unable to access these things using the command line.

      Steps to Reproduce:

      1. Create a user with LDAP (example: new_user)
      2. Don't give user access to check pod logs for openhshift related namespaces ( For example: new_user should not be able to see pod logs for openhsift-apiserver)
      3. Try to impersonate the user (new_user)
      4. Try to check openshift-apiserver pod logs through command line( you will be able to see those)
      5. Try to check the same logs from command line for new_user , you won't be able to see it.


      Actual results:

      `Impersonate the user` feature doesn't give correct validation 

      Expected results:

      We should not be able to see pod logs if user does not have permission

      Additional info:


            rhn-engineering-rhamilto Robb Hamilton
            openshift-crt-jira-prow OpenShift Prow Bot
            Xiyun Zhao Xiyun Zhao
            0 Vote for this issue
            6 Start watching this issue