Bug 1666674
Summary: | Calling <kibana_url>/api/status results in being redirected to an oauth login page that does not support challenge authentication in 3.11. | ||
---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | Vedanti Jaypurkar <vjaypurk> |
Component: | Logging | Assignee: | Jeff Cantrill <jcantril> |
Status: | CLOSED WONTFIX | QA Contact: | Anping Li <anli> |
Severity: | high | Docs Contact: | |
Priority: | unspecified | ||
Version: | 3.11.0 | CC: | aos-bugs, jcantril, mkhan, rmeggins, suchaudh, travi |
Target Milestone: | --- | ||
Target Release: | 3.11.z | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | No Doc Update | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2019-04-02 21:06:52 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Vedanti Jaypurkar
2019-01-16 10:52:24 UTC
Mo, The change here is the move to use the oauthproxy to front kibana in 3.11 instead of our proxy from 3.10 and prior. Should the bearer token be enough? what more might we be missing to allow access via CLI? At the very least you are missing the redirect URI for openshift-challenging-client. At log level 2+, you should be able to see what is upsetting the OAuth server. As an aside, you should not be using openshift-challenging-client or a "real" OAuth client like kibana-proxy. Based on the request scopes, a service account based OAuth client will work without issue [1]. [1] https://docs.okd.io/latest/architecture/additional_concepts/authentication.html#service-accounts-as-oauth-clients Trying to authenticate via OAuth from the CLI seems incorrect. The openshift-delegate-urls [1] parameter for OAuth proxy is used to configure bearer token based auth which is what I would expect to be used here. Jeff, how is OAuth proxy configured for kibana? [1] https://github.com/openshift/origin/blob/master/examples/prometheus/prometheus.yaml#L271 (In reply to Mo from comment #4) > Trying to authenticate via OAuth from the CLI seems incorrect. The > openshift-delegate-urls [1] parameter for OAuth proxy is used to configure > bearer token based auth which is what I would expect to be used here. > > Jeff, how is OAuth proxy configured for kibana? https://github.com/openshift/openshift-ansible/blob/release-3.11/roles/openshift_logging_kibana/templates/kibana.j2#L98-L110 The Kibana OAuth proxy configuration needs to be updated to include something like: - '-openshift-sar={"resource": "selfsubjectaccessreviews", "verb": "create", "group": "authorization.k8s.io"}' - '-openshift-delegate-urls={"/": {"resource": "selfsubjectaccessreviews", "verb": "create", "group": "authorization.k8s.io"}}' This will allow it to directly honor tokens as long as the OAuth proxy service account has a cluster role binding to system:auth-delegator The noted SAR checks are allowed by all users (this is fine because Kibana handles the authz checks itself). Reverting PR because it introduced regression. Possible fix is: Jeff Cantrill [2:13 PM] create a custom role, bind to system:authenticated something like view kibana/status The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days |