Bug 1200841
| Summary: | pod log could not be printed out when running "osc log" after user log into project | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Johnny Liu <jialiu> |
| Component: | Logging | Assignee: | Jhon Honce <jhonce> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 3.0.0 | CC: | bleanhar, dmcphers, jliggitt, jokerman, libra-onpremise-devel, lmeyer, mmccomas |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-09-08 17:35:42 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Pod logs go through the /proxy endpoint, which gives direct, unnamespaced access to nodes. For that reason, it requires cluster-admin-level access. Project admins do not currently have access. There is ongoing work to provide access to pod logs in a namespace-controlled way so that project admins can have this permission. (In reply to Jordan Liggitt from comment #1) > There is ongoing work to provide access to pod logs in a > namespace-controlled way so that project admins can have this permission. Should it just be project admins by default? Would expect other roles to need this too, and while admins can always modify policy... seems to me it ought to match expectations as best as possible by default. I think I would even expect "view" roles to see logs. Non-cluster admins should be able to access logs as of beta3. According to https://bugzilla.redhat.com/show_bug.cgi?id=1217834#c3, move this bug to verified. Closing this as part of a bulk update/cleanup of multiple bugs that were VERIFIED before OSE 3.0 GA but were left open and haven't been updated since. If this bug was meant to stay open for some reason please reopen. |
Description of problem: Create a new project, then log into this project as "joe" user, then run "osc log pod name" [jialiu@jialiu-pc1 beta2]$ echo $KUBECONFIG /home/jialiu/.kube/kubeconfig-joe-wiring [jialiu@jialiu-pc1 beta2]$ cat /home/jialiu/.kube/kubeconfig-joe-wiring apiVersion: v1 clusters: - cluster: certificate-authority: /var/lib/openshift/openshift.local.certificates/ca/root.crt server: https://10.66.79.111:8443 name: 10.66.79.111:8443 contexts: - context: cluster: 10.66.79.111:8443 namespace: wiring user: joe name: 10.66.79.111:8443-joe current-context: 10.66.79.111:8443-joe kind: Config preferences: {} users: - name: joe user: token: OTY5NTYxMDctZmY4NC00NzhjLWEyNWMtNWIxMTdiZDRjYzlj [jialiu@jialiu-pc1 beta2]$ osc log frontend-1-m68gl Forbidden: "/api/v1beta1/proxy/minions/jialiu-node1/containerLogs/wiring/frontend-1-m68gl/ruby-helloworld?follow=false" denied by default Version-Release number of selected component (if applicable): openshift-0.4-0.git.43.e57c9a8.el7ose.x86_64 How reproducible: Always Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info: