Bug 1388045

Summary: Encounter "[Security_exception]No permission for indices:data/read/msearch" on kibana UI
Product: OKD Reporter: Xia Zhao <xiazhao>
Component: LoggingAssignee: ewolinet
Status: CLOSED CURRENTRELEASE QA Contact: Xia Zhao <xiazhao>
Severity: medium Docs Contact:
Priority: medium    
Version: 3.xCC: aos-bugs
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-12-09 21:49:54 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
es_log
none
kibana_log
none
flunetd_log
none
screenshot none

Description Xia Zhao 2016-10-24 10:01:48 UTC
Created attachment 1213426 [details]
es_log

Description of problem:
Encounter "[Security_exception]No permission for indices:data/read/msearch" after logged in Kibana UI, and see error status 403 and 404 on java console panel, please refer to the attached screenshot for detailed error stacks.

Version-Release number of selected component (if applicable):
Built out image from https://github.com/openshift/origin-aggregated-logging

openshift v1.4.0-alpha.0+c94f61a
kubernetes v1.4.0+776c994
etcd 3.1.0-alpha.1

How reproducible:
About 50%, mostly happen for every user's first login

Steps to Reproduce:
0.Start docker with journal log driver
1.Define local builds according to https://github.com/openshift/origin-aggregated-logging#defining-local-builds
2.Deploy logging with the built out images (OPS cluster is set to false, use_journal set to true).
3.Login kibana UI with different users

Actual results:
Encounter "[Security_exception]No permission for indices:data/read/msearch" on kibana UI.

Expected results:
Should not encounter "[Security_exception]No permission for indices:data/read/msearch" on kibana UI

Additional info:
es pod log attached
screenshot attached
Issue reproduced when docker log driver is set to both json file and journal.

Comment 1 Xia Zhao 2016-10-24 10:04:38 UTC
Created attachment 1213427 [details]
kibana_log

Comment 2 Xia Zhao 2016-10-24 10:05:00 UTC
Created attachment 1213428 [details]
flunetd_log

Comment 3 Xia Zhao 2016-10-24 10:06:02 UTC
Created attachment 1213429 [details]
screenshot

Comment 5 Xia Zhao 2016-10-25 05:14:21 UTC
Hi Eric,

Thanks for pointing out this change. After adding this new step during logging deployment, this issue did not happen anymore:

oadm policy add-cluster-role-to-user rolebinding-reader system:serviceaccount:logging:aggregated-logging-elasticsearch

Please transfer this back for closure.

Thanks,
Xia

Comment 6 Xia Zhao 2016-10-25 14:46:52 UTC
Verified on 

openshift v1.4.0-alpha.0+c94f61a
kubernetes v1.4.0+776c994
etcd 3.1.0-alpha.1

Fixed after adding 

oadm policy add-cluster-role-to-user rolebinding-reader system:serviceaccount:logging:aggregated-logging-elasticsearch

in logging deployment process