Bug 1373611

Summary: admin user/cert does not have access to _cat ES endpoints
Product: OpenShift Container Platform Reporter: Luke Meyer <lmeyer>
Component: LoggingAssignee: Luke Meyer <lmeyer>
Status: CLOSED DUPLICATE QA Contact: Xia Zhao <xiazhao>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 3.2.0CC: aos-bugs, erich, lmeyer, misalunk, rmeggins, stwalter
Target Milestone: ---   
Target Release: 3.2.1   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-11 18:49:10 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1391803    
Bug Blocks:    

Description Luke Meyer 2016-09-06 17:38:13 UTC 
Description of problem:
The admin user authorized by the admin key/cert is supposed to have access to everything in our Elasticsearch, but doesn't. It seems to be a permissions error.

Steps to Reproduce:
1. Deploy logging solution
2. Find an ES pod from the deployment, for example below "logging-es-uhwvmy8x-1-gszqu"
3. Attempt to request various _cat endpoints (https://www.elastic.co/guide/en/elasticsearch/reference/1.5/cat.html), for example:
$ oc exec logging-es-uhwvmy8x-1-gszqu -- curl --key /etc/elasticsearch/keys/admin-key --cert /etc/elasticsearch/keys/admin-cert   --cacert /etc/elasticsearch/keys/admin-ca -XGET "https://localhost:9200/_cat/indices?v"

Actual results:
{"error":"RuntimeException[java.lang.NullPointerException]; nested: NullPointerException; ","status":500}

In ES logs:
[2016-09-03 07:38:57,866][ERROR][com.floragunn.searchguard.filter.SearchGuardActionFilter] Error while apply() due to java.lang.NullPointerException for action indices:monitor/stats
java.lang.NullPointerException
        at java.util.Objects.requireNonNull(Objects.java:203)
        at java.util.Arrays$ArrayList.<init>(Arrays.java:3813)
        at java.util.Arrays.asList(Arrays.java:3800)
        at com.floragunn.searchguard.filter.SearchGuardActionFilter.apply0(SearchGuardActionFilter.java:191)
[...]
Comment 4 Luke Meyer 2016-09-12 13:47:09 UTC 
Similar problems were reported in https://github.com/openshift/origin-aggregated-logging/issues/59
Comment 5 Luke Meyer 2016-09-12 14:23:36 UTC 
We expect this to be fixed with OSE 3.4. It's not clear the level of effort to patch for this in previous versions - would be a patch for Search Guard.
Comment 17 Miheer Salunke 2016-10-03 12:36:11 UTC 
Their openshift version version is 3.1.0

the elasticsearch image stream reference is           image: 'registry.access.redhat.com/openshift3/logging-elasticsearch:3.1.1' , is this the right version ?
Comment 18 Luke Meyer 2016-10-04 21:23:05 UTC 
3.1.1-9+ should have the fix to accept the admin cert. It's a little hard to tell which release a system has - there are multiple releases for some versions and you basically have to compare the image hash. What is the image hash for this image according to docker images?

Have them try 
  oc import-image logging-elasticsearch:3.1.1
...before going for the full upgrade.
Comment 21 Luke Meyer 2016-10-14 19:16:36 UTC 
I'm waiting to learn if updating the 3.1.1 image solved this.
Comment 26 Xia Zhao 2016-10-26 06:28:28 UTC 
Verification work blocked by https://bugzilla.redhat.com/show_bug.cgi?id=1388753
Comment 27 Xia Zhao 2016-11-02 06:36:28 UTC 
Verification work blocked by new test blocker https://bugzilla.redhat.com/show_bug.cgi?id=1390854
Comment 28 Xia Zhao 2016-11-03 03:52:46 UTC 
Blocked by https://bugzilla.redhat.com/show_bug.cgi?id=1391318
Comment 29 Xia Zhao 2016-11-04 08:09:03 UTC 
Possibly blocked by https://bugzilla.redhat.com/show_bug.cgi?id=1391803, I'm confirming it there.
Comment 30 Xia Zhao 2016-11-04 08:15:59 UTC 
@Luke

Should I test this with curl ES from kibana? 

Because when I do 

# oc exec logging-es-e1bxs3th-1-htc5i -- curl --key /etc/elasticsearch/keys/admin-key --cert /etc/elasticsearch/keys/admin-cert   --cacert /etc/elasticsearch/keys/admin-ca -XGET "https://localhost:9200/_cat/indices?v"

I got these error:
curl: (77) Problem with the SSL CA cert (path? access rights?)

since directory /etc/elasticsearch/keys/ did not actually exist inside ES pod.
Comment 31 Xia Zhao 2016-11-08 06:19:00 UTC 
Blocked by https://bugzilla.redhat.com/show_bug.cgi?id=1391803
Comment 32 Xia Zhao 2016-11-08 08:06:22 UTC 
Hi Luke,

Could you please help to take a look at my question in comment #30? 

Thanks,
Xia
Comment 33 Rich Megginson 2016-11-08 21:43:49 UTC 
(In reply to Xia Zhao from comment #30)
> @Luke
> 
> Should I test this with curl ES from kibana? 
> 
> Because when I do 
> 
> # oc exec logging-es-e1bxs3th-1-htc5i -- curl --key
> /etc/elasticsearch/keys/admin-key --cert /etc/elasticsearch/keys/admin-cert 
> --cacert /etc/elasticsearch/keys/admin-ca -XGET
> "https://localhost:9200/_cat/indices?v"
> 
> I got these error:
> curl: (77) Problem with the SSL CA cert (path? access rights?)
> 
> since directory /etc/elasticsearch/keys/ did not actually exist inside ES
> pod.

Right - it's /etc/elasticsearch/secret
Comment 34 Luke Meyer 2016-11-09 16:56:45 UTC 
I'm not sure if the kibana user has access to see that API endpoint. But we want to use the admin cert on ES anyway. As Rich said, the location of the keys has just changed (which means we need to update https://docs.openshift.org/latest/install_config/aggregate_logging.html#aggregate-logging-performing-elasticsearch-maintenance-operations)

So:
# oc exec logging-es-e1bxs3th-1-htc5i -- curl \
     --key /etc/elasticsearch/secret/admin-key \
     --cert /etc/elasticsearch/secret/admin-cert \
     --cacert /etc/elasticsearch/secret/admin-ca \
     -XGET "https://localhost:9200/_cat/indices?v"
Comment 35 Xia Zhao 2016-11-10 07:14:00 UTC 
Verified with latest images on brew, it's fixed:

$ oc exec logging-es-h6a5k1eh-1-5yceg -- curl \
>      --key /etc/elasticsearch/secret/admin-key \
>      --cert /etc/elasticsearch/secret/admin-cert \
>      --cacert /etc/elasticsearch/secret/admin-ca \
>      -XGET "https://localhost:9200/_cat/indices?v"
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  1420  100  1420    0     0  10624      0 --:--:-- --:--:-- --:--:-- 10676
health status index                                                                pri rep docs.count docs.deleted
store.size pri.store.size 
green  open   project.install-test.627931ab-a619-11e6-912c-fa163e4c9831.2016.11.09   1   0      15572            0
3.9mb          3.9mb 
green  open   .operations.2016.11.10                                                 1   0     470325            0
202.6mb        202.6mb 
green  open   .kibana                                                                1   0          1            0
3.1kb          3.1kb 
green  open   .operations.2016.11.09                                                 1   0    1574648            0
677.2mb        677.2mb 
green  open   .searchguard.logging-es-h6a5k1eh-1-5yceg                               1   0          4            0
28.2kb         28.2kb 
green  open   project.xiazhao.19f21915-a623-11e6-b108-fa163e4c9831.2016.11.09        1   0       1603            0
641.1kb        641.1kb 
green  open   project.install-test.627931ab-a619-11e6-912c-fa163e4c9831.2016.11.10   1   0       5192            0
1.4mb          1.4mb 
green  open   .kibana.91938315022b77cf223d212e426080092f1aafcf                       1   0          2            1
18.3kb         18.3kb 
green  open   project.xiazhao.19f21915-a623-11e6-b108-fa163e4c9831.2016.11.10        1   0        241            0
275.8kb        275.8kb
Comment 36 Luke Meyer 2016-11-11 18:49:10 UTC 
Docs PR to address this: https://github.com/openshift/openshift-docs/pull/3206
Comment 37 Luke Meyer 2016-11-11 20:20:44 UTC 

*** This bug has been marked as a duplicate of bug 1369924 ***