Uploaded image for project: 'Red Hat OpenStack Services on OpenShift'
  1. Red Hat OpenStack Services on OpenShift
  2. OSPRH-10081

user have no rights to see prometheus dashboards even if rolebinding as in docs has been given

XMLWordPrintable

    • 0
    • False
    • Hide

      None

      Show
      None
    • False
    • ?
    • ?
    • ?
    • ?
    • None
    • 3
    • CloudOps 2024 Sprint 15
    • Moderate

      IHAC with service telemetry installed.

      • htpasswd identity provider.

      The following roles have been applied to a user:

      • cluster role: cluster-monitoring-view
      • the following custom role:

      apiVersion: rbac.authorization.k8s.io/v1
      kind: Role
      metadata:
      name: promtelemetry
      namespace: <service-telemetry namespace>
      rules:

      • apiGroups:
      • monitoring.rhobs
        resources:
      • prometheuses
        verbs:
      • get

      When the user tries to login to prometheus dashboards, we can see in oauth proxy logs container of prometheus instance:

      2024/07/09 11:13:42 provider.go:671: 200 GET https://172.30.0.1/apis/user.openshift.io/v1/users/~ {"kind":"User","apiVersion":"user.openshift.io/v1","metadata":{"name":"viewer","uid":"1d3c1d69-5dcc-42aa-88c6-505d30ee2dde","resourceVersion":"97116314","creationTimestamp":"2023-03-28T05:13:53Z","managedFields":[{"manager":"oauth-server","operation":"Update","apiVersion":"user.openshift.io/v1","time":"2023-03-28T05:13:53Z","fieldsType":"FieldsV1","fieldsV1":{"f:identities":{}}}]},"identities":["htpasswd:viewer"],"groups":["system:authenticated","system:authenticated:oauth"]}
      2024/07/09 11:13:42 provider.go:671: 201 POST https://172.30.0.1/apis/authorization.openshift.io/v1/subjectaccessreviews

      {"kind":"SubjectAccessReviewResponse","apiVersion":"authorization.openshift.io/v1","namespace":"service-telemetry","allowed":false,"reason":"RBAC: clusterrole.rbac.authorization.k8s.io \"promtelemetry\" not found"}

      2024/07/09 11:13:42 provider.go:522: Permission denied for viewer@cluster.local for check

      {"group":"monitoring.rhobs","namespace":"service-telemetry","resource":"prometheus","scopes":[],"verb":"get"}

      2024/07/09 11:13:42 oauthproxy.go:657: 10.131.0.1:54740 Permission Denied: user is unauthorized when redeeming token
      2024/07/09 11:13:42 oauthproxy.go:452: ErrorPage 403 Permission Denied Invalid Account

      Permission is denied because the role is not found by prometheus service account, apparently.

      But even if we do:

      oc adm policy add-role-to-user admin system:serviceaccount:service-telemetry:prometheus-stf

      The error is the same.

      Could you please help to see if there's a configuration issue here ?

      The oauth proxy is clearly finding the rolebindings of the user, but not the role:

      {"kind":"SubjectAccessReviewResponse","apiVersion":"authorization.openshift.io/v1","namespace":"service-telemetry","allowed":false,"reason":"RBAC: clusterrole.rbac.authorization.k8s.io \"promtelemetry\" not found"}

              csibbitt-rh Chris Sibbitt
              rhn-support-gparente German Parente
              rhos-dfg-cloudops
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: