Description of problem: anonymous browser should get a 403 from /, getting 200 instead. Reproduce: curl --insecure https://api..../ Additional info: Happens in 4.1->4.2->4.3->4.4 upgrade. https://search.svc.ci.openshift.org/?search=anonymous+browsers+should+get+a+403+from&maxAge=48h&context=2&type=bug%2Bjunit
Related test failure: [It] [Top Level] [Feature:OpenShiftAuthorization] The default cluster RBAC policy should have correct RBAC rules [Suite:openshift/conformance/parallel] /go/src/github.com/openshift/origin/_output/local/go/src/github.com/openshift/origin/test/extended/authorization/rbac/groups_default_rules.go:163 STEP: should only allow the system:authenticated group to access certain policy rules STEP: should only allow the system:unauthenticated group to access certain policy rules Apr 7 06:36:18.550: FAIL: system:unauthenticated has extra permissions in namespace "":
*** Bug 1821954 has been marked as a duplicate of this bug. ***
This is by design of rbac reconciliation, and the switch to authenticated / and discovery endpoints. This is certainly no regression of 4.4 and therefore doubtfully a blocker.
Moving back to 4.5, with backports, and priority high.
Can I get an update on the progress of this bug? The fix needs to be backported to 4.4 to unblock upgrades.
In my testing I found that this issue is present in 4.1->4.2 upgrade as well. I put up an PR that could potentially resolve the issue. Will work with Stefan and Standa to refine the PR and merged it.
this bug is actively worked on.
I will revisit this after finishing up my current tasks.
I am planning to resume the work in this sprint.
I am working on other high priority items. I will get to this bug next sprint.
This bug hasn't had any activity in the last 30 days. Maybe the problem got resolved, was a duplicate of something else, or became less pressing for some reason - or maybe it's still relevant but just hasn't been looked at yet. As such, we're marking this bug as "LifecycleStale" and decreasing the severity/priority. If you have further information on the current state of the bug, please update it, otherwise this bug can be closed in about 7 days. The information can be, for example, that the problem still occurs, that you still want the feature, that more information is needed, or that the bug is (for whatever reason) no longer relevant.
this bug had an update from the assignee less than 30 days ago, so the bot shouldn't have taken action. Michal is looking into it. Setting the priority back for now.
Closing this issue. Issue as such is not reproduced in CI in the latest runs. Whatever failures present in ci search are due to network or io issues.
pretty sure this isn't showing up because we disabled the test. Do you have evidence the test has actually passed in recent CI runs?
Not to mention it should be very easy to test the actual behavior to see if it is correct: anonymous browser should get a 403 from /, getting 200 instead. is it?
(the behavior only happens when you start from a 4.1 cluster and upgrade through to 4.5 or so, i don't think it happens if you just install a 4.5 cluster fresh)
The LifecycleStale keyword was removed because the bug got commented on recently. The bug assignee was notified.
re-opening the issue as this is still an issue.
How can we fix the unit tests? Can we exclude clusters that come from 4.1?
I am not sure how to do that. Let's check with Ben to see if it is possible. @Ben, Is it possible to exclude this test for clusters upgraded from 4.1? Please let us know if we have to talk to someone else regarding this.
not that i'm aware of unless the test itself can determine the provenance of the cluster and then just make its own choice to pass the test (i'm not sure if there's anything in the cluster itself that indicates what version the cluster started out as?)
i think cluster version resource contains the upgrade history. maybe we could use that in the test.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:4196