1200841 – pod log could not be printed out when running "osc log" after user log into project

Bug 1200841 - pod log could not be printed out when running "osc log" after user log into project

Summary: pod log could not be printed out when running "osc log" after user log into p...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Logging
Sub Component:
Version:	3.0.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	---
Target Release:	---
Assignee:	Jhon Honce
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-03-11 13:43 UTC by Johnny Liu
Modified:	2015-09-08 17:35 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-09-08 17:35:42 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Johnny Liu 2015-03-11 13:43:41 UTC

Description of problem:
Create a new project, then log into this project as "joe" user, then run "osc log pod name"
[jialiu@jialiu-pc1 beta2]$ echo $KUBECONFIG
/home/jialiu/.kube/kubeconfig-joe-wiring
[jialiu@jialiu-pc1 beta2]$ cat /home/jialiu/.kube/kubeconfig-joe-wiring
apiVersion: v1
clusters:
- cluster:
    certificate-authority: /var/lib/openshift/openshift.local.certificates/ca/root.crt
    server: https://10.66.79.111:8443
  name: 10.66.79.111:8443
contexts:
- context:
    cluster: 10.66.79.111:8443
    namespace: wiring
    user: joe
  name: 10.66.79.111:8443-joe
current-context: 10.66.79.111:8443-joe
kind: Config
preferences: {}
users:
- name: joe
  user:
    token: OTY5NTYxMDctZmY4NC00NzhjLWEyNWMtNWIxMTdiZDRjYzlj
[jialiu@jialiu-pc1 beta2]$ osc log frontend-1-m68gl
Forbidden: "/api/v1beta1/proxy/minions/jialiu-node1/containerLogs/wiring/frontend-1-m68gl/ruby-helloworld?follow=false" denied by default




Version-Release number of selected component (if applicable):
openshift-0.4-0.git.43.e57c9a8.el7ose.x86_64

How reproducible:
Always

Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 1 Jordan Liggitt 2015-03-11 13:51:44 UTC

Pod logs go through the /proxy endpoint, which gives direct, unnamespaced access to nodes. For that reason, it requires cluster-admin-level access. Project admins do not currently have access.

There is ongoing work to provide access to pod logs in a namespace-controlled way so that project admins can have this permission.

Comment 3 Luke Meyer 2015-03-19 17:13:20 UTC

(In reply to Jordan Liggitt from comment #1)
 
> There is ongoing work to provide access to pod logs in a
> namespace-controlled way so that project admins can have this permission.

Should it just be project admins by default? Would expect other roles to need this too, and while admins can always modify policy... seems to me it ought to match expectations as best as possible by default. I think I would even expect "view" roles to see logs.

Comment 4 Brenton Leanhardt 2015-05-15 17:22:35 UTC

Non-cluster admins should be able to access logs as of beta3.

Comment 5 Johnny Liu 2015-05-18 06:09:39 UTC

According to https://bugzilla.redhat.com/show_bug.cgi?id=1217834#c3, move this bug to verified.

Comment 6 Josep 'Pep' Turro Mauri 2015-09-08 17:35:42 UTC

Closing this as part of a bulk update/cleanup of multiple bugs that were VERIFIED before OSE 3.0 GA but were left open and haven't been updated since.

If this bug was meant to stay open for some reason please reopen.

Note You need to log in before you can comment on or make changes to this bug.