Bug 1455691
Summary: | [3.4] BACKPORT: User can not see .operations.* index even though he belongs to a group with cluster-admin role | ||
---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | Steven Walter <stwalter> |
Component: | Logging | Assignee: | Jeff Cantrill <jcantril> |
Status: | CLOSED ERRATA | QA Contact: | Xia Zhao <xiazhao> |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | 3.4.0 | CC: | anli, aos-bugs, erich, jcantril, juzhao, lizhou, mkhan, nnosenzo, pportant, qitang, rmeggins, rromerom, wsun |
Target Milestone: | --- | ||
Target Release: | 3.4.z | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: |
Cause: A user's role was not using the correct mechanism for evaluating what projects they could see
Consequence: User's in a group were improperly being denied viewing logs for admin projects.
Fix: Use SubjectAccessReview to evaluate project visibility
Result: User's of a group that can see a project are able to see project logs without given explicit access to the project.
|
Story Points: | --- |
Clone Of: | 1446217 | Environment: | |
Last Closed: | 2017-06-15 18:41:06 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1446217 | ||
Bug Blocks: |
Comment 1
Steven Walter
2017-05-25 20:18:17 UTC
Changes made in: https://github.com/fabric8io/openshift-elasticsearch-plugin/pull/80 https://github.com/openshift/origin-aggregated-logging/pull/446 Will need to be merged downstream. It's fixed, verified with users belongs to a group with cluster-admin role, she's now able to see log entries inside index ".operations*" after logged in to kibana: ------------------------- Test env: # openshift version openshift v3.4.1.32 kubernetes v1.4.0+776c994 etcd 3.1.0-rc.0 Image tested with: openshift3/logging-elasticsearch 3.4.1 0b64a8a567d5 -------------------------- Test steps: # oadm groups new testing NAME USERS testing # oadm groups add-users testing xiazhao # oadm policy add-role-to-group cluster-admin testing Then logged in to kibana UI with user xiazhao, she's able to see log entries inside index ".operations*" Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:1425 |