Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-7415

oauth user:check-access scoped tokens can not be used to check access as intended

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done-Errata
    • Icon: Normal Normal
    • 4.14.0
    • 4.12
    • oauth-apiserver
    • None
    • Low
    • None
    • Auth - Sprint 232, Auth - Sprint 233, Auth - Sprint 234, Auth - Sprint 235, Auth - Sprint 236, Auth - Sprint 237, Auth - Sprint 238, Auth - Sprint 239, Auth - Sprint 240, Auth - Sprint 241
    • 10
    • False
    • Hide

      None

      Show
      None
    • Hide
      * A `user:check-access` scoped token grants sufficient permissions to send a SelfSubjectAccessReview request. Previously, sufficient permissions to actually perform the access review were not granted, unless the token also had the `user:full` scope or a role scope. With this release, A SelfSubjectAccessReview request is authorized as if it has either the full user's permissions or the permissions of the user's role set on the request in order to be able to perform the access review. (link:https://issues.redhat.com/browse/OCPBUGS-7415[*OCPBUGS-7415*])
      Show
      * A `user:check-access` scoped token grants sufficient permissions to send a SelfSubjectAccessReview request. Previously, sufficient permissions to actually perform the access review were not granted, unless the token also had the `user:full` scope or a role scope. With this release, A SelfSubjectAccessReview request is authorized as if it has either the full user's permissions or the permissions of the user's role set on the request in order to be able to perform the access review. (link: https://issues.redhat.com/browse/OCPBUGS-7415 [* OCPBUGS-7415 *])
    • Bug Fix
    • Done

      Description of problem:

      oauth user:check-access scoped tokens can not be used to check access as intended.  SelfSubjectAccessReviews from such scoped token always report allowed: false, denied: true.  Unless the SelfSubjectAccessReview is checking access for ability to create SelfSubjectAccessReviews.  This does not seem like the intended behavior per documentation.

https://docs.openshift.com/container-platform/4.12/authentication/tokens-scoping.html

oauth user:check-access scoped tokens only have authorization for SelfSubjectAccessReview.  This is as intended.  This seems to be limited by the scopeauthorizor.  However, the authorizor used by SelfSubjectAccessReview includes this filter, meaning the returned response is useless (you can only check-access to SelfSubjectAccessReview itself instead of using the token to check access of RBAC of the parent user the token is scoped from).

https://github.com/openshift/kubernetes/blob/master/openshift-kube-apiserver/authorization/scopeauthorizer/authorizer.go

https://github.com/openshift/kubernetes/blob/master/pkg/registry/authorization/selfsubjectaccessreview/rest.go

       

      Version-Release number of selected component (if applicable):

       

      How reproducible:

      Create user:check-access scoped token.  Token must not have user:full scope.  Use the token to do a SelfSubjectAccessReview.

      Steps to Reproduce:

      1. Create user:check-access scoped token.  Must not have user:full scope.
2. Use the token to do a SelfSubjectAccessReview against a resource the parent user has access to.
3. Observe the status response is allowed: false, denied: true.

      Actual results:

      Unable to check user access with a user:check-access scoped token.

      Expected results:

      Ability to check user access with a user:check-access scoped token, without user:full scope which would give the token full access and abilities of the parent user.

      Additional info:

       

              rh-ee-irinis Ilias Rinis
              dunnevan Evan Dunn (Inactive)
              Giriyamma Karagere Ramaswamy Giriyamma Karagere Ramaswamy (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              12 Start watching this issue

                Created:
                Updated:
                Resolved: