Bug 1446217

Summary: User can not see .operations.* index even though he belongs to a group with cluster-admin role
Product: OpenShift Container Platform Reporter: Nicolas Nosenzo <nnosenzo>
Component: LoggingAssignee: Jeff Cantrill <jcantril>
Status: CLOSED ERRATA QA Contact: Xia Zhao <xiazhao>
Severity: medium Docs Contact:
Priority: high    
Version: 3.4.0CC: anli, aos-bugs, erich, juzhao, mkhan, pportant, rromerom, smunilla, wsun
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: Improper way of determining a users role as a cluster admin Consequence: Fix: Modify the method of determining a user's role. Result:
 Story Points: ---
Clone Of:
: 1455691 (view as bug list) Environment:
Last Closed: 2017-08-10 05:21:25 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1439451    
Bug Blocks: 1455691    

Description Nicolas Nosenzo 2017-04-27 13:22:14 UTC 
Description of problem:
User is not able to see .logging.* even when he belongs to a group that has been granted with cluster-admin role 

Version-Release number of selected component (if applicable):
3.4

How reproducible:
100%

Steps to Reproduce:

- Make sure user belongs (or its group) to the 

# oc describe clusterPolicyBindings :default | egrep 'RoleBinding\[cluster-admins\]' -A

RoleBinding[cluster-admins]:
                                                                Role:                   cluster-admin
                                                                Users:                  system:admin
                                                                Groups:                 system:cluster-admins, group-admins
                                                                ServiceAccounts:        <none>
                                                                Subjects:               <none>


# oc get groups
NAME                          USERS
group-admins                     user1, user2, user3
group-users



- Check, logged as user1, check if you can see entries in .operatoins.* entry logs

# curl --key /etc/elasticsearch/secret/admin-key --cert  /etc/elasticsearch/secret/admin-cert --cacert  /etc/elasticsearch/secret/admin-ca https://localhost:9200/.operations.*/_search | python -mjson.tool | more

{
    "_shards": {
        "failed": 0,
        "successful": 7,
        "total": 7
    },
    "hits": {
        "hits": [
           
	****** LOG ENTRIES *******

        ],
        "max_score": 1.0,
        "total": 76368185
    },
    "timed_out": false,
    "took": 60
}


- Search for an string:

# oc exec logging-kibana-ops-1-ew340  -c kibana -- curl --connect-timeout 1 -s -k        --cert /etc/kibana/keys/cert --key /etc/kibana/keys/key        -H "X-Proxy-Remote-User: $test_name" -H "Authorization: Bearer $test_token" -H "X-Forwarded-For: 127.0.0.1"        https://logging-es-ops:9200/.operations.*/_search\?q=message:"for"

{"error":{"root_cause":[{"type":"security_exception","reason":"no permissions for indices:data/read/search"}],"type":"security_exception","reason":"no permissions for indices:data/read/search"},"status":403}

**** you get above permission error message


- Instead, if you set the cluster-admin role directly to the user: 
# oadm policy add-cluster-role-to-user cluster-admin user1

- Then the user will be able to search for strings in the .operations.* index:

# oc exec logging-kibana-ops-1-ew340  -c kibana -- curl --connect-timeout 1 -s -k        --cert /etc/kibana/keys/cert --key /etc/kibana/keys/key        -H "X-Proxy-Remote-User: $test_name" -H "Authorization: Bearer $test_token" -H "X-Forwarded-For: 127.0.0.1"        https://logging-es-ops:9200/.operations.*/_search\?q=message:"for"

{"took":1055,"timed_out":false,"_shards":{"total":7,"successful":7,"failed":0},"hits":{"total":3811811,"max_score":7.1148357,"hits":[******* LOG ENTRIES *******]}}


Actual results:

Permission error message is displayed

Expected results:

Output should show matchs for the string we are looking for. 

Additional info:
Comment 3 Rich Megginson 2017-04-27 19:12:34 UTC 
*** Bug 1444816 has been marked as a duplicate of this bug. ***
Comment 4 Ruben Romero Montes 2017-04-28 06:41:28 UTC 
As described in https://bugzilla.redhat.com/show_bug.cgi?id=1444816
 - it also affects .all and .operations.* index patterns
 - it is also reproducible with cluster-reader role
 - it does not affect the access to other namespaces
Comment 5 Jeff Cantrill 2017-05-01 17:53:25 UTC 
I think this is related to https://github.com/fabric8io/openshift-elasticsearch-plugin/issues/72 where their is a belief we are determining operations users improperly.
Comment 6 Jeff Cantrill 2017-05-04 19:38:04 UTC 
Resolved by: https://github.com/openshift/origin-aggregated-logging/pull/403

Tested by:

1. verifying a user (testing-admin) can not see ops index
2. Add new group: oadm groups new testing
3. Add user to group: oadm groups add-users testing testing-admin
4. verifying user still can not see ops index
5. Apply policy to group: oadm policy add-role-to-group cluster-admin testing
6. Verify user can see ops index
Comment 7 openshift-github-bot 2017-05-08 14:05:47 UTC 
Commit pushed to master at https://github.com/openshift/origin-aggregated-logging

https://github.com/openshift/origin-aggregated-logging/commit/7b8f90c10ba27bd174773587138ebff4d2b16299
bug 1446217. Bump plugin to use SAR to evaluate ops user
Comment 9 Xia Zhao 2017-06-06 08:34:08 UTC 
The verification work was blocked by https://bugzilla.redhat.com/show_bug.cgi?id=1458652
Comment 10 Xia Zhao 2017-07-03 09:54:05 UTC 
It's fixed. Test steps like this (made some minor changes to comment #6):
1. # oadm groups new testing
NAME      USERS
testing   
2. # oadm groups add-users testing testing-admin
3. # oadm policy add-cluster-role-to-group cluster-admin testing
4. # oc describe clusterPolicyBindings :default | grep 'RoleBinding\[cluster-admin\]' -A 5
RoleBinding[cluster-admin]:                                 
                                            Role:            cluster-admin
                                            Users:            <none>
                                            Groups:            system:masters, testing
                                            ServiceAccounts:    <none>
                                            Subjects:        <none>
5. Login kibana with user "testing-admin", can see .operations* index and log entries inside from logging UI.

Test env:
# openshift version
openshift v3.6.131
kubernetes v1.6.1+5115d708d7
etcd 3.2.1


ansible version:
openshift-ansible-playbooks-3.6.131-1.git.0.d87dfaa.el7.noarch

Images tested with:
openshift3/logging-elasticsearch    c601094a6111
openshift3/logging-kibana    c91b7ad68dc7
openshift3/logging-fluentd    82367a1102e0
openshift3/logging-curator    b609245a72f9
openshift3/logging-auth-proxy    39164e25543c
Comment 12 errata-xmlrpc 2017-08-10 05:21:25 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:1716