Bug 1964532

Summary: Non cluster admins lose access to Kibana indexes and are forced to recreate them but it fails
Product: OpenShift Container Platform Reporter: Courtney Ruhm <cruhm>
Component: LoggingAssignee: Jeff Cantrill <jcantril>
Status: CLOSED ERRATA QA Contact: Kabir Bharti <kbharti>
Severity: low Docs Contact:
Priority: unspecified    
Version: 4.6.zCC: aos-bugs, ikarpukh, qitang
Target Milestone: ---   
Target Release: 4.6.z   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: logging-exploration
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-11-03 20:54:12 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Courtney Ruhm 2021-05-25 16:20:00 UTC 
Description of problem:

Non cluster admins lose access to Kibana indexes and are forced to recreate them despite previous bugzilla identified in 4.5 for this issue being fixed with https://access.redhat.com/errata/RHBA-2021:1489 


Version-Release number of selected component (if applicable):

4.6.28 

How reproducible:

N/A

Steps to Reproduce:

Hit previous bug found in https://access.redhat.com/solutions/5885501 then upgrade to 4.6.28 and delete and recreate the users kibana index seems to solve the issue but after a couple of days the user permissions seem to revert back

Actual results:

Users permissions after being fixed eventually revert back to

2021-05-25T11:02:03,047][INFO ][c.a.o.s.p.PrivilegesEvaluator] [elasticsearch-cdm-xxxxxxx-3] No index-level perm match for User [name=xxxxxx.xxx, roles=[project_user], requestedTenant=__user__] Resolved [aliases=[*], indices=[*], allIndices=[*], types=[*], originalRequested=[], remoteIndices=[]] [Action [indices:admin/mappings/get]] [RolesChecked [project_user]]
[2021-05-25T11:02:03,047][INFO ][c.a.o.s.p.PrivilegesEvaluator] [elasticsearch-cdm-8opci2yc-3] No permissions for [indices:admin/mappings/get]

Expected results:

User permissions should not revert and users should still be able to access there kibana indexes 

Additional info:

Customer reportedly upgrade on May 21st and then deleted and recreated the users kibana index. They reported that it stopped working again on may 25th. So about 4 days.
Comment 4 IgorKarpukhin 2021-10-21 12:52:02 UTC 
Solved with https://github.com/openshift/origin-aggregated-logging/pull/2165
Comment 5 Kabir Bharti 2021-10-25 20:50:23 UTC 
Verified on below CSV
NAME                                        DISPLAY                            VERSION              REPLACES   PHASE
clusterlogging.4.6.0-202110190717           Cluster Logging                    4.6.0-202110190717              Succeeded
elasticsearch-operator.4.6.0-202110212031   OpenShift Elasticsearch Operator   4.6.0-202110212031              Succeeded

non-cluster admin user is able to create index pattern in kibana and index pattern is not deleted. Manual deletion of the index pattern by the user and recreating it is also working fine.

Marking Bug as QE verified.
Comment 8 errata-xmlrpc 2021-11-03 20:54:12 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.6.49 extras update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:4010