Bug 1455691
| Summary: | [3.4] BACKPORT: User can not see .operations.* index even though he belongs to a group with cluster-admin role | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Steven Walter <stwalter> |
| Component: | Logging | Assignee: | Jeff Cantrill <jcantril> |
| Status: | CLOSED ERRATA | QA Contact: | Xia Zhao <xiazhao> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 3.4.0 | CC: | anli, aos-bugs, erich, jcantril, juzhao, lizhou, mkhan, nnosenzo, pportant, qitang, rmeggins, rromerom, wsun |
| Target Milestone: | --- | ||
| Target Release: | 3.4.z | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: |
Cause: A user's role was not using the correct mechanism for evaluating what projects they could see
Consequence: User's in a group were improperly being denied viewing logs for admin projects.
Fix: Use SubjectAccessReview to evaluate project visibility
Result: User's of a group that can see a project are able to see project logs without given explicit access to the project.
|
Story Points: | --- |
| Clone Of: | 1446217 | Environment: | |
| Last Closed: | 2017-06-15 18:41:06 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1446217 | ||
| Bug Blocks: | |||
|
Comment 1
Steven Walter
2017-05-25 20:18:17 UTC
Changes made in: https://github.com/fabric8io/openshift-elasticsearch-plugin/pull/80 https://github.com/openshift/origin-aggregated-logging/pull/446 Will need to be merged downstream. It's fixed, verified with users belongs to a group with cluster-admin role, she's now able to see log entries inside index ".operations*" after logged in to kibana: ------------------------- Test env: # openshift version openshift v3.4.1.32 kubernetes v1.4.0+776c994 etcd 3.1.0-rc.0 Image tested with: openshift3/logging-elasticsearch 3.4.1 0b64a8a567d5 -------------------------- Test steps: # oadm groups new testing NAME USERS testing # oadm groups add-users testing xiazhao # oadm policy add-role-to-group cluster-admin testing Then logged in to kibana UI with user xiazhao, she's able to see log entries inside index ".operations*" Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:1425 |