Uploaded image for project: 'OpenShift Logging'
  1. OpenShift Logging
  2. LOG-3434

Elasticsearch authorization not working as expected with "auth can-i get pods/log"

    XMLWordPrintable

Details

    • False
    • None
    • False
    • NEW
    • NEW
    • Important

    Description

      Description of problem:

      According to Access Control we are running oc auth can-i get pods/log -n default to validate whether somebody is a OpenShift Container Platform 4 - Cluster administrator. But oc auth can-i get pods/log -n default only provides knowledge whether the user executing it can get the name of the resource but nothing about accessing logs. Meaning, ClusterRole that can see pods but is not allowed to view logs, still gets to see all logs in kibana which is not correct (as both, oc logs ... and OpenShift Container Platform 4 - Console deny access to logs).

      To properly validate this, oc auth can-i get pods --subresource=log would need to be run as this would tell elasticsearch whether the user is really allowed to view logs or rather not.

      Since the behavior between plain OpenShift Container Platform 4 and Kibana is not the same, this is exposing problems (even security related) as it grants somebody access to logs it should not have according to the RBAC.

      Version-Release number of selected component (if applicable):

      • OpenShift Container Platform 4
      • OpenShift Container Platform 4 - Cluster Logging 5

      How reproducible:

      • Always

      Steps to Reproduce:

      1. Install OpenShift Container Platform 4 with OpenShift Container Platform 4 - Cluster Logging 5
      2. Create a copy of ClusterRole called cluster-reader and remove pods/log from the newly created ClusterRole
      3. Assign a user the new ClusterRole using {{oc adm policy add-cluster-role-to-user <new-clusterrole> <user>

      Actual results:

      $ kubectl auth can-i get pods/log -n project-serverless
yes

      $ kubectl auth can-i get pods --subresource=log -n project-serverless
no

      $ kubectl logs curl-6857dfb9c-mqv5f -n project-serverless
Error from server (Forbidden): pods "curl-6857dfb9c-mqv5f" is forbidden: User "user1" cannot get resource "pods/log" in API group "" in the namespace "project-serverless"

      But in Kibana logs are visible for pod curl-6857dfb9c-mqv5f with the user user1 (in this example).

      Expected results:

      $ kubectl auth can-i get pods/log -n project-serverless 
yes

      $ kubectl auth can-i get pods --subresource=log -n project-serverless
no

      $ kubectl logs curl-6857dfb9c-mqv5f -n project-serverless
Error from server (Forbidden): pods "curl-6857dfb9c-mqv5f" is forbidden: User "user1" cannot get resource "pods/log" in API group "" in the namespace "project-serverless"

      Kibana should not show logs for pod curl-6857dfb9c-mqv5f or any of the namespace, the command kubectl auth can-i get pods --subresource=log is returning no.

      Additional info:

      Attachments

        Issue Links

          causes

          Feature - Capability or a well-defined set of functionality that delivers business value. Features can include additions or changes to existing functionality. Features can easily span multiple teams, and potentially multiple releases. OBSDA-296 Better control over access to logs in LokiStack for enterprise environments

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Activity

            People

              Unassigned Unassigned
              rhn-support-sreber Simon Reber
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: