Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Done-Errata
Priority: Normal
Fix Version/s: 4.14.0
Affects Version/s: 4.12
Component/s: oauth-apiserver
Labels:
None

Severity:
Low
Sprint:
Auth - Sprint 232, Auth - Sprint 233, Auth - Sprint 234, Auth - Sprint 235, Auth - Sprint 236, Auth - Sprint 237, Auth - Sprint 238, Auth - Sprint 239, Auth - Sprint 240, Auth - Sprint 241
sprint_count:
10
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Release Note Text:

Hide
* A `user:check-access` scoped token grants sufficient permissions to send a SelfSubjectAccessReview request. Previously, sufficient permissions to actually perform the access review were not granted, unless the token also had the `user:full` scope or a role scope. With this release, A SelfSubjectAccessReview request is authorized as if it has either the full user's permissions or the permissions of the user's role set on the request in order to be able to perform the access review. (link:https://issues.redhat.com/browse/OCPBUGS-7415[*~~OCPBUGS-7415~~*])

Show
* A `user:check-access` scoped token grants sufficient permissions to send a SelfSubjectAccessReview request. Previously, sufficient permissions to actually perform the access review were not granted, unless the token also had the `user:full` scope or a role scope. With this release, A SelfSubjectAccessReview request is authorized as if it has either the full user's permissions or the permissions of the user's role set on the request in order to be able to perform the access review. (link: https://issues.redhat.com/browse/OCPBUGS-7415 [* OCPBUGS-7415 *])
Release Note Type:
Bug Fix
Release Note Status:
Done
Target Version:

4.14.0

SFDC Cases Counter:
SFDC Cases Links:

Description

Description of problem:

oauth user:check-access scoped tokens can not be used to check access as intended.  SelfSubjectAccessReviews from such scoped token always report allowed: false, denied: true.  Unless the SelfSubjectAccessReview is checking access for ability to create SelfSubjectAccessReviews.  This does not seem like the intended behavior per documentation.

https://docs.openshift.com/container-platform/4.12/authentication/tokens-scoping.html

oauth user:check-access scoped tokens only have authorization for SelfSubjectAccessReview.  This is as intended.  This seems to be limited by the scopeauthorizor.  However, the authorizor used by SelfSubjectAccessReview includes this filter, meaning the returned response is useless (you can only check-access to SelfSubjectAccessReview itself instead of using the token to check access of RBAC of the parent user the token is scoped from).

https://github.com/openshift/kubernetes/blob/master/openshift-kube-apiserver/authorization/scopeauthorizer/authorizer.go

https://github.com/openshift/kubernetes/blob/master/pkg/registry/authorization/selfsubjectaccessreview/rest.go

Version-Release number of selected component (if applicable):

How reproducible:

Create user:check-access scoped token.  Token must not have user:full scope.  Use the token to do a SelfSubjectAccessReview.

Steps to Reproduce:

1. Create user:check-access scoped token.  Must not have user:full scope.
2. Use the token to do a SelfSubjectAccessReview against a resource the parent user has access to.
3. Observe the status response is allowed: false, denied: true.

Actual results:

Unable to check user access with a user:check-access scoped token.

Expected results:

Ability to check user access with a user:check-access scoped token, without user:full scope which would give the token full access and abilities of the parent user.

Additional info:

Attachments

Issue Links

links to

openshift/kubernetes#1493: OCPBUGS-7415: grant user:full scope to self-SARs

RHSA-2023:5006 OpenShift Container Platform 4.14.z security update

Activity

People

Assignee:: Ilias Rinis

Reporter:: Evan Dunn (Inactive)

QA Contact:: Giriyamma Karagere Ramaswamy (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 12 Start watching this issue

Dates

Created:: 2023/02/13 6:02 PM

Updated:: 2023/10/31 1:41 PM

Resolved:: 2023/10/31 1:41 PM