| Summary: | The .all index is displayed for ordinary user without cluster-admin right | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Xia Zhao <xiazhao> | ||||||||||
| Component: | Logging | Assignee: | ewolinet | ||||||||||
| Status: | CLOSED ERRATA | QA Contact: | chunchen <chunchen> | ||||||||||
| Severity: | medium | Docs Contact: | |||||||||||
| Priority: | medium | ||||||||||||
| Version: | 3.3.0 | CC: | aos-bugs, ewolinet, jcantril, tdawson, wsun, xiazhao | ||||||||||
| Target Milestone: | --- | Keywords: | Regression | ||||||||||
| Target Release: | --- | ||||||||||||
| Hardware: | Unspecified | ||||||||||||
| OS: | Unspecified | ||||||||||||
| Whiteboard: | |||||||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||||||
| Doc Text: |
Cause:
The OpenShift-Elasticsearch-Plugin did not remove the '.all' Kibana mapping for users that were cluster-admin but then had the role reverted.
Consequence:
If a user was no longer a cluster-admin they would still be able to view the '.all' Kibana mapping. They wouldn't be able to see the logs for projects they didn't have access to, but they would still incorrectly see the mapping.
Fix:
Update the OpenShift-Elasticsearch-Plugin to remove the '.all' Kibana mapping to users that are not cluster-admin.
Result:
Ordinary users are not able to see the '.all' mapping if they are no longer cluster-admins
|
Story Points: | --- | ||||||||||
| Clone Of: | Environment: | ||||||||||||
| Last Closed: | 2016-09-27 09:47:10 UTC | Type: | Bug | ||||||||||
| Regression: | --- | Mount Type: | --- | ||||||||||
| Documentation: | --- | CRM: | |||||||||||
| Verified Versions: | Category: | --- | |||||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||||
| Attachments: |
|
||||||||||||
Created attachment 1196691 [details]
es_log
Created attachment 1196692 [details]
kibana_log
Created attachment 1196694 [details]
fluentd_log
Set to verified according to comment #10 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2016:1933 |
Created attachment 1196690 [details] deployer_log