Bug 1492576

Summary: [trello O6MCrGUx]Can't save searches, visulizations and dashboards in shared_ops mode
Product: OpenShift Container Platform Reporter: Xia Zhao <xiazhao>
Component: LoggingAssignee: Jeff Cantrill <jcantril>
Status: CLOSED ERRATA QA Contact: Anping Li <anli>
Severity: medium Docs Contact:
Priority: medium    
Version: 3.7.0CC: anli, aos-bugs, jcantril, juzhao, pportant, rmeggins, xtian
Target Milestone: ---Keywords: OpsBlocker
Target Release: 3.7.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: Users don't have write permissions to the Kibana index Consequence: Security Exception Fix: Give users write permissions to the Kibana index Result:
 Story Points: ---
Clone Of: Environment:
Last Closed: 2017-11-28 22:11:25 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
error screeshot
none
searches could be saved and loaded none

Description Xia Zhao 2017-09-18 08:32:20 UTC 
Created attachment 1327265 [details]
error screeshot

Description of problem:
Can't save searches, visulizations and dashboards as both cluster-admin and ordinary users in shared_ops mode:

Discover: Request to Elasticsearch failed: "[security_exception] no permissions for indices:data/write/index"

Error: Request to Elasticsearch failed: "[security_exception] no permissions for indices:data/write/index"
KbnError@https://kibana.${subdomain}/bundles/commons.bundle.js?v=10229:57511:21
RequestFailure@https://kibana.${subdomain}/bundles/commons.bundle.js?v=10229:57544:6
__WEBPACK_AMD_DEFINE_RESULT__</</</<@https://kibana.${subdomain}/bundles/commons.bundle.js?v=10229:97666:16
processQueue@https://kibana.${subdomain}/bundles/commons.bundle.js?v=10229:42452:29
scheduleProcessQueue/<@https://kibana.${subdomain}/bundles/commons.bundle.js?v=10229:42468:28
$RootScopeProvider/this.$get</Scope.prototype.$eval@https://kibana.${subdomain}/bundles/commons.bundle.js?v=10229:43696:17
$RootScopeProvider/this.$get</Scope.prototype.$digest@https://kibana.${subdomain}/bundles/commons.bundle.js?v=10229:43507:16
$RootScopeProvider/this.$get</Scope.prototype.$apply@https://kibana.${subdomain}/bundles/commons.bundle.js?v=10229:43804:14
done@https://kibana.${subdomain}/bundles/commons.bundle.js?v=10229:38253:37
completeRequest@https://kibana.${subdomain}/bundles/commons.bundle.js?v=10229:38451:8
requestLoaded@https://kibana.${subdomain}/bundles/commons.bundle.js?v=10229:38392:10

Issue did not repro in unique mode

Version-Release number of selected component (if applicable):
logging-kibana          v3.7                cecca4258b8a        2 days ago          618 MB
logging-auth-proxy      v3.7                d0dbe597a63c        2 days ago          218.2 MB

# openshift version
openshift v3.7.0-0.126.4
kubernetes v1.7.0+80709908fd
etcd 3.2.1

How reproducible:
always

Steps to Reproduce:
1.Deploy logging v3.7 stacks with this parameter specified in inventory file:
openshift_logging_elasticsearch_kibana_index_mode=shared_ops
2.Login kibana with both cluster-admin or ordinary users
3.Try to save a query, visulization or dashboard

Actual results:
Get error: Discover: Request to Elasticsearch failed: "[security_exception] no permissions for indices:data/write/index"

Expected results:
query, visulization or dashboard should be saved successfully

Additional info:
Error screenshot attached
Comment 1 Jeff Cantrill 2017-09-18 13:16:47 UTC 
Will be fixed by:

https://github.com/openshift/origin-aggregated-logging/pull/641
Comment 2 Xia Zhao 2017-09-25 09:29:18 UTC 
Reproduced on openshift v3.7.0-0.126.6, ansible version: openshift-ansible-playbooks-3.7.0-0.126.6.git.0.a60fe67.el7.noarch

logging images tested with:
${brew_registry}/openshift3/logging-kibana          v3.7                8a8d97e2e52d        3 days ago          618 MB
${brew_registry}/openshift3/logging-elasticsearch   v3.7                f02ad2ceb2fe        3 days ago          438.1 MB
${brew_registry}/openshift3/logging-fluentd         v3.7                e51eed14dd9a        3 days ago          235.1 MB
${brew_registry}/openshift3/logging-auth-proxy      v3.7                8b446c84fceb        3 days ago          218.2 MB
${brew_registry}/openshift3/logging-curator         v3.7                5775172f7c24        3 days ago          222.3 MB
Comment 3 Xia Zhao 2017-09-25 09:32:51 UTC 
Issue was even reproduced on unique mode with Comment #2.
Comment 5 Anping Li 2017-10-11 05:19:10 UTC 
The index can be saved with v3.7.0-0.143.1.1. so move to verified.
Comment 6 Peter Portante 2017-10-12 22:38:44 UTC 
We are seeing this same problem on starter-ca-central-1 today, oc version v3.6.173.0.7, logging version v3.6.173.0.37.
Comment 7 Junqi Zhao 2017-10-26 05:50:10 UTC 
Tested with images from stage repo,  searches, visulizations and dashboards could be saved in shared_ops mode.
See the attached picture, take save searches for example, there have 3 saved searches, and load these searches could get correct result, no error is found.

env:
openshift v3.6.173.0.59


rpm -qa | grep openshift-ansible*
openshift-ansible-docs-3.6.173.0.59-1.git.0.0e31372.el7.noarch
openshift-ansible-lookup-plugins-3.6.173.0.59-1.git.0.0e31372.el7.noarch
openshift-ansible-3.6.173.0.59-1.git.0.0e31372.el7.noarch
openshift-ansible-callback-plugins-3.6.173.0.59-1.git.0.0e31372.el7.noarch
openshift-ansible-roles-3.6.173.0.59-1.git.0.0e31372.el7.noarch
openshift-ansible-filter-plugins-3.6.173.0.59-1.git.0.0e31372.el7.noarch
openshift-ansible-playbooks-3.6.173.0.59-1.git.0.0e31372.el7.noarch

Images:
logging-curator-v3.6.173.0.49-4
logging-elasticsearch-v3.6.173.0.49-5
logging-fluentd-v3.6.173.0.49-4
logging-fluentd-v3.6.173.0.49-4
logging-kibana-v3.6.173.0.49-5
Comment 8 Junqi Zhao 2017-10-26 05:51:43 UTC 
Created attachment 1343542 [details]
searches could be saved and loaded
Comment 9 Peter Portante 2017-10-26 10:54:23 UTC 
Should we only verify this against 3.7 images?
Comment 10 Peter Portante 2017-10-26 11:16:00 UTC 
Was this an install of 3.6 using openshift-ansible 3.6.173.0.59, but all image versions of OCP and Logging at 3.6.173.0.49?
Comment 12 Junqi Zhao 2017-10-27 00:45:11 UTC 
Change logging Images in Comment 7 to:
logging-auth-proxy-v3.6.173.0.49-4
logging-curator-v3.6.173.0.49-4
logging-elasticsearch-v3.6.173.0.49-5
logging-fluentd-v3.6.173.0.49-4
logging-kibana-v3.6.173.0.49-5
Comment 19 errata-xmlrpc 2017-11-28 22:11:25 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:3188