Bug 1490391

Summary: [RFE] Elasticsearch should use OCP roles to filter access to logs
Product: OpenShift Container Platform Reporter: Ruben Romero Montes <rromerom>
Component: RFEAssignee: Jeff Cantrill <jcantril>
Status: CLOSED WONTFIX QA Contact: Xiaoli Tian <xtian>
Severity: medium Docs Contact:
Priority: unspecified    
Version: unspecifiedCC: aos-bugs, jokerman, mmccomas, rmeggins, simon.gunzenreiner, tkatarki
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-12 11:58:48 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
cluster-restricted-admin-role.json
none
cluster-restricted-reader-role.json none

Description Ruben Romero Montes 2017-09-11 12:56:11 UTC 
3. What is the nature and description of the request?
While viewing logs in Kibana, a user without permissions to view any pod's logs will have access just by having permissions to see a project. This is just by being able to perform the "view" verb on the resource "namespace". However, it is not being taken into consideration the possibility that some users don't have access to "view" the following resources:
 "pods/log"
 "builds/log"
 "deploymentconfigs/log"

This is why the way currently Elasticsearch + SearchGuard allows a user to access logs is not sufficient.

4. Why does the customer need this? (List the business requirements here)
Given the company's security constrains not everyone administering the cluster has access to the sensitive data like secrets or logs. Those "restricted-admins" have access to the namespaces but must not have access to the logs.

5. How would the customer like to achieve this? (List the functional requirements here)
- As a "cluster-admin" I want to be able to restrict who has access to pods logs even though they have access to the namespace.
- As a "restricted-admin" I shouldn't be able to see pods logs in Kibana the same way I don't have access to them using OpenShift CLI


6. For each functional requirement listed, specify how Red Hat and the customer can test to confirm the requirement is successfully implemented.
Given the attached cluster roles and a user having assigned the cluster role "cluster-restricted-admin", this user will not be able to see any logs from any pod.
However if the user is somehow granted the permissions to see certain pods logs, those pods will be shown in Kibana

10. List any affected packages or components.
Aggregated logging framework
Comment 1 Ruben Romero Montes 2017-09-11 12:56:56 UTC 
Created attachment 1324458 [details]
cluster-restricted-admin-role.json
Comment 2 Ruben Romero Montes 2017-09-11 12:57:27 UTC 
Created attachment 1324459 [details]
cluster-restricted-reader-role.json
Comment 10 Kirsten Newcomer 2019-06-12 11:58:48 UTC 
With the introduction of OpenShift 4, Red Hat has delivered or roadmapped a substantial number of features based on feedback by our customers.  Many of the enhancements encompass specific RFEs which have been requested, or deliver a comparable solution to a customer problem, rendering an RFE redundant.

This bz (RFE) has been identified as a feature request not yet planned or scheduled for an OpenShift release and is being closed. 

If this feature is still an active request that needs to be tracked, Red Hat Support can assist in filing a request in the new JIRA RFE system, as well as provide you with updates as the RFE progress within our planning processes. Please open a new support case: https://access.redhat.com/support/cases/#/case/new 

Opening a New Support Case: https://access.redhat.com/support/cases/#/case/new 

As the new Jira RFE system is not yet public, Red Hat Support can help answer your questions about your RFEs via the same support case system.