Bug 1457292
| Summary: | EFK Stack / Security Exception when accessing logging data in Kibana | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | seferovic |
| Component: | Logging | Assignee: | Jeff Cantrill <jcantril> |
| Status: | CLOSED DUPLICATE | QA Contact: | Xia Zhao <xiazhao> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 3.5.1 | CC: | aos-bugs, rmeggins |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-06-20 15:50:06 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Looks like a dup of or related to https://bugzilla.redhat.com/show_bug.cgi?id=1397683 This is a duplicate of 1456413 which will be resolved in 3.5 when the PR lands since they both use same version of the PR. This issue is a result of there being no indexes that match the kibana pattern we seed. *** This bug has been marked as a duplicate of bug 1456413 *** |
Description of problem: After successful deployment of EFK-Stack a user with cluster-admin rights is able to view all logs (including .operations logs). When a new user with limited priviledges is added to a newly created group that has been assigned a cluster-admin role, following exception/error is shown after log-in into Kibana: "Discover: [security_exception] no permissions for indices:data/read/msearch" Version-Release number of selected component (if applicable): OpenShift Master: v3.5.5.15 Kubernetes Master: v1.5.2+43a9be4 How reproducible: ansible masters -a "htpasswd -b /etc/origin/master/htpasswd admin1 admin1234" oadm groups new admin-group1 oadm groups add-users admin-group1 admin1 oadm policy add-cluster-role-to-group cluster-admin admin-group1 Steps to Reproduce: 1. Create a basic user 2. Create a group 3. Add the newly created user to the group from step 2 4. Grant cluster role "cluster-admin" to the group from step 2 5. Log in into OpenShift UI with the user from step 1 6. Go to "logging" project and click on the kibana route URL 7. Log in into Kibana with the user from step 1 Actual results: "Discover: [security_exception] no permissions for indices:data/read/msearch" Expected results: The permission to see all logs from elasticsearch thru Kibana (including .operations log) Additional info: