Bug 1494239
| Summary: | Fluentd unable to write to Elastic Search when LDAP distinguished names are used as usernames | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Nick Schuetz <nschuetz> |
| Component: | Logging | Assignee: | Jeff Cantrill <jcantril> |
| Status: | CLOSED ERRATA | QA Contact: | Anping Li <anli> |
| Severity: | high | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 3.6.1 | CC: | aos-bugs, nschuetz, rmeggins, smunilla |
| Target Milestone: | --- | Keywords: | Reopened |
| Target Release: | 3.6.z | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: |
Cause: openshift-elasticsearch-plugin was creating ACL roles based on the provided name which could include slashes and commas.
Consequence: This caused the dependent lib to not properly evaluate roles
Fix: Hash the name when creating ACL roles so they no longer contain the invalid characters
Result: AD users can use kibana and logging
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-12-07 07:11:23 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Nick Schuetz
2017-09-21 19:31:10 UTC
The results provided are not necessarily related to the title of the issue. 'Empty project' is just a placeholder that no data has been collected for your index. We really need additional information to determine the issue. I suggest running [1] and attaching the output. Also, can you provide the steps you used to identify the issue? Did you infact enter a user name of 'CN=jdoe,OU=DL IT,OU=User Accounts,DC=example,DC=com' in the openshift login page? This seems unmanagable from the users perspective. [1]https://github.com/openshift/origin-aggregated-logging/blob/master/hack/logging-dump.sh The username we entered was the CN alone. However, when doing an `oc whoami` it presented the full distinguished name. So did the output of `oc get names` and `oc get identity`. It was also displayed in the WebUI when doing a logout operation. *** This bug has been marked as a duplicate of bug 1456584 *** Reopening as the dup is the wrong issue Commits pushed to master at https://github.com/openshift/origin-aggregated-logging https://github.com/openshift/origin-aggregated-logging/commit/ef7a1f568f31f89c64a67a7b41fb09b9efbf08c7 bump openshift-elasticsearch-plugin to 2.4.4.16 to fix: bug 1494239. fix handling of ldap names for username bug 1456584. fix handling of active directory username remove non-ops 'all' alias https://github.com/openshift/origin-aggregated-logging/commit/a45858e52fabca8e805631851174a8cec63b43ca Merge pull request #741 from jcantrill/plugin_bump_24416 Automatic merge from submit-queue. bump openshift-elasticsearch-plugin to 2.4.4.16 to fix bug 1494239. fix handling of ldap names for username bug 1456584. fix handling of active directory username remove non-ops 'all' alias @Samuel, The bug target is v3.6, Could you move the bug to v3.6 errata? QE couldn't reproduce this issue. so regression have been executed. The test pass both OpenLDAP and Active Directory LDAP. so move bug to verified. Test version: logging-elasticsearch/images/3.6.173.0.63-10 openshift-elasticsearch-plugin-2.4.4.17__redhat_1-1.el7.noarch Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2017:3389 |