Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-44130

Azure CredentialsRequest for Machine API Operator may be missing some permissions

XMLWordPrintable

    • Quality / Stability / Reliability
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • Rejected
    • CLOUD Sprint 263, CLOUD Sprint 264, CLOUD Sprint 262, CLOUD Sprint 265
    • 4
    • Done
    • Bug Fix
    • Hide
      * Previously, some permissions required for linked actions were missing. Linked actions create the subresources necessary for other {azure-short} resources that the Machine API and {product-title} require. With this release, the following permissions are added to the Machine API provider for {azure-short}:
      +
      --
      ** `Microsoft.Compute/disks/beginGetAccess/action`
      ** `Microsoft.KeyVault/vaults/deploy/action`
      ** `Microsoft.ManagedIdentity/userAssignedIdentities/assign/action`
      ** `Microsoft.Network/applicationGateways/backendAddressPools/join/action`
      ** `Microsoft.Network/applicationSecurityGroups/joinIpConfiguration/action`
      ** `Microsoft.Network/applicationSecurityGroups/joinNetworkSecurityRule/action`
      ** `Microsoft.Network/ddosProtectionPlans/join/action`
      ** `Microsoft.Network/gatewayLoadBalancerAliases/join/action`
      ** `Microsoft.Network/loadBalancers/backendAddressPools/join/action`
      ** `Microsoft.Network/loadBalancers/frontendIPConfigurations/join/action`
      ** `Microsoft.Network/loadBalancers/inboundNatPools/join/action`
      ** `Microsoft.Network/loadBalancers/inboundNatRules/join/action`
      ** `Microsoft.Network/networkInterfaces/join/action`
      ** `Microsoft.Network/networkSecurityGroups/join/action`
      ** `Microsoft.Network/publicIPAddresses/join/action`
      ** `Microsoft.Network/publicIPPrefixes/join/action`
      ** `Microsoft.Network/virtualNetworks/subnets/join/action`
      --
      +
      (link:https://issues.redhat.com/browse/OCPBUGS-44130[OCPBUGS-44130])
      Show
      * Previously, some permissions required for linked actions were missing. Linked actions create the subresources necessary for other {azure-short} resources that the Machine API and {product-title} require. With this release, the following permissions are added to the Machine API provider for {azure-short}: + -- ** `Microsoft.Compute/disks/beginGetAccess/action` ** `Microsoft.KeyVault/vaults/deploy/action` ** `Microsoft.ManagedIdentity/userAssignedIdentities/assign/action` ** `Microsoft.Network/applicationGateways/backendAddressPools/join/action` ** `Microsoft.Network/applicationSecurityGroups/joinIpConfiguration/action` ** `Microsoft.Network/applicationSecurityGroups/joinNetworkSecurityRule/action` ** `Microsoft.Network/ddosProtectionPlans/join/action` ** `Microsoft.Network/gatewayLoadBalancerAliases/join/action` ** `Microsoft.Network/loadBalancers/backendAddressPools/join/action` ** `Microsoft.Network/loadBalancers/frontendIPConfigurations/join/action` ** `Microsoft.Network/loadBalancers/inboundNatPools/join/action` ** `Microsoft.Network/loadBalancers/inboundNatRules/join/action` ** `Microsoft.Network/networkInterfaces/join/action` ** `Microsoft.Network/networkSecurityGroups/join/action` ** `Microsoft.Network/publicIPAddresses/join/action` ** `Microsoft.Network/publicIPPrefixes/join/action` ** `Microsoft.Network/virtualNetworks/subnets/join/action` -- + (link: https://issues.redhat.com/browse/OCPBUGS-44130 [ OCPBUGS-44130 ])
    • None
    • None
    • None
    • None

      During review of ARO MiWi permissions, some permissions in the MAPI CredentialsRequest for Azure having other permissions identified through a linked action that are missing.

      A linked access check is an action performed by Azure Resource Manager during a incoming request. For example, when you issue a create operation to a network interface ( Microsoft.Network/networkInterfaces/write ) you specify a subnet in the payload. ARM parses the payload, sees you're setting a subnet property, and as a result requires the linked access check Microsoft.Network/virtualNetworks/subnets/join/action to the subnet resource specified in the network interface. If you update a resource but don't include the property in the payload, it will not perform the permission check.

      The following permissions were identified as possibly needed in MAPI CredsRequest as they are specified as linked action of one of MAPI's existing permissions

      Microsoft.Compute/disks/beginGetAccess/action
      Microsoft.KeyVault/vaults/deploy/action
      Microsoft.ManagedIdentity/userAssignedIdentities/assign/action
      Microsoft.Network/applicationGateways/backendAddressPools/join/action
      Microsoft.Network/applicationSecurityGroups/joinIpConfiguration/action
      Microsoft.Network/applicationSecurityGroups/joinNetworkSecurityRule/action
      Microsoft.Network/ddosProtectionPlans/join/action
      Microsoft.Network/gatewayLoadBalancerAliases/join/action
      Microsoft.Network/loadBalancers/backendAddressPools/join/action
      Microsoft.Network/loadBalancers/frontendIPConfigurations/join/action
      Microsoft.Network/loadBalancers/inboundNatPools/join/action
      Microsoft.Network/loadBalancers/inboundNatRules/join/action
      Microsoft.Network/networkInterfaces/join/action
      Microsoft.Network/networkSecurityGroups/join/action
      Microsoft.Network/publicIPAddresses/join/action
      Microsoft.Network/publicIPPrefixes/join/action
      Microsoft.Network/virtualNetworks/subnets/join/action
      

      Each permission needs to be validated as to whether it is needed by MAPI through any of its code paths.

              rh-ee-nbrubake Nolan Brubaker
              tfahlman Taylor Fahlman
              None
              None
              Zhaohua Sun Zhaohua Sun
              None
              Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

                Created:
                Updated:
                Resolved: