Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1696410 - [DOCS] Giving "view" using cluster-monitoring-view to a user grants additional abilities
Summary: [DOCS] Giving "view" using cluster-monitoring-view to a user grants additiona...
Status: NEW
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Documentation
Version: 3.11.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: ---
Assignee: Vikram Goyal
QA Contact: Xiaoli Tian
Vikram Goyal
Depends On:
TreeView+ depends on / blocked
Reported: 2019-04-04 19:33 UTC by Steven Walter
Modified: 2019-04-05 07:02 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed:
Target Upstream Version:

Attachments (Terms of Use)

Description Steven Walter 2019-04-04 19:33:59 UTC
Document URL:

Section Number and Name: 
Accessing Prometheus, Alertmanager, and Grafana

Describe the issue: 
Access to Grafana and other monitoring components requires "view" access onall projects, as noted in the sentence:

>>You need to use a role that has read access to all namespaces, such as the cluster-monitoring-view cluster role.

It's not clear in this document that this has additional side effects:
  - The user can now view the names and details of every project
  - The user can now view logs from every project in Kibana

Suggestions for improvement: 
Issue a warning that this role should only be granted to trusted users or admin users as it will grant additional privileges as above

Additional information:

Comment 2 Christian Heidenreich 2019-04-05 06:06:35 UTC
The cluster monitoring capabilities is meant to be used by an infrastructure admin only. We expect any infrastructure admin, as you said, to have those permissions anyways. Who are the users you are giving those permissions?

Note You need to log in before you can comment on or make changes to this bug.