Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1360675

Summary: Failed to access kibana web console
Product: OpenShift Container Platform Reporter: chunchen <chunchen>
Component: LoggingAssignee: Luke Meyer <lmeyer>
Status: CLOSED NEXTRELEASE QA Contact: chunchen <chunchen>
Severity: medium Docs Contact:
Priority: medium    
Version: 3.3.0CC: aos-bugs, chunchen, ewolinet, jcantril, wsun, xiazhao
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-08-09 13:30:33 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
kibana console screenshot
none
curator pod log
none
ES pod log
none
fluentd log
none
kibana container log
none
kibana-proxy pod log none

Description chunchen 2016-07-27 10:06:09 UTC 
Description of problem:
It's failed to access kibana web console, get below messages from web page:

'require "redirect" parameter beginning with "/"'

Repro when ENABLE_OPS_CLUSTER=true or false.

Version-Release number of selected component (if applicable):
registry...com/openshift3/logging-auth-proxy 3.3.0  c0b7d9b08a2e
registry...com/openshift3/logging-curator 3.3.0  0f4e933a812a
registry...com/openshift3/logging-elasticsearch 3.3.0  b7051c8b66d3
registry...com/openshift3/logging-kibana 3.3.0  32d276bb46ae
registry...com/openshift3/logging-deployer 3.3.0  000cdaaa18ea
brew-...com:8888/openshift3/logging-elasticsearch 3.3.0 e71d2b04669c
brew-...com:8888/openshift3/logging-fluentd 3.3.0 80847240fa91
brew-...com:8888/openshift3/logging-deployer 3.3.0 1c127f4f36a0
brew-...com:8888/openshift3/logging-curator 3.3.0 2c88e1273c11
brew-...com:8888/openshift3/logging-auth-proxy 3.3.0 c0b7d9b08a2e
brew-...com:8888/openshift3/logging-kibana 3.3.0 32d276bb46ae

openshift v3.3.0.10
kubernetes v1.3.0+57fb9ac
etcd 2.3.0+git

How reproducible:
Always

Steps to Reproduce:
1. Deploy logging stack according to doc: https://github.com/openshift/origin-aggregated-logging/tree/master/deployer#using-the-logging-deployer

2. After the logging running, access the kibana web console

Actual results:
[chunchen@F17-CCY Pictures]$ oc get pod
NAME                          READY     STATUS      RESTARTS   AGE
logging-curator-1-i83n0       1/1       Running     0          2h
logging-deployer-hxj9w        0/1       Completed   0          2h
logging-es-816boftf-1-y37od   1/1       Running     0          2h
logging-fluentd-tc71n         1/1       Running     0          2h
logging-kibana-1-do2v6        2/2       Running     0          2h

The page response: require "redirect" parameter beginning with "/"

Expected results:
The kibana web console should be accessed.

Additional info:
The page screenshot and pod logs, please refer to the attachments.
Comment 1 chunchen 2016-07-27 10:07:47 UTC 
Created attachment 1184570 [details]
kibana console screenshot
Comment 2 chunchen 2016-07-27 10:08:21 UTC 
Created attachment 1184571 [details]
curator pod log
Comment 3 chunchen 2016-07-27 10:08:54 UTC 
Created attachment 1184572 [details]
ES pod log
Comment 4 chunchen 2016-07-27 10:09:22 UTC 
Created attachment 1184573 [details]
fluentd log
Comment 5 chunchen 2016-07-27 10:09:46 UTC 
Created attachment 1184574 [details]
kibana container log
Comment 6 chunchen 2016-07-27 10:10:22 UTC 
Created attachment 1184575 [details]
kibana-proxy pod log
Comment 7 Jeff Cantrill 2016-07-28 12:43:08 UTC 
@eric I believe @luke said this is a result of our index change to include uuid.  Might this also be an opportunity to fix https://github.com/openshift/origin-aggregated-logging/issues/171 since I THINK you said the problem was with the query parameters and/or document fragments.
Comment 8 ewolinet 2016-07-28 12:54:36 UTC 
This looks to be something else.  The issue we were seeing with the index change was in regards to the kibana index that was generated within the OpenShift console.  This looks like it was directly accessed and was unable to redirect for login?

Also, the log format for Elasticsearch looks off still... have we rebuilt the image since http://pkgs.devel.redhat.com/cgit/rpms/logging-elasticsearch-docker/commit/?h=rhaos-3.3-rhel-7 ?

@Chunchen, were you trying to access Kibana directly?  What was the URL you used?
Comment 9 Luke Meyer 2016-07-28 13:41:20 UTC 
I managed to reproduce this exactly once; still trying to figure out what the conditions are.
Comment 12 Luke Meyer 2016-08-01 19:52:31 UTC 
I still don't understand how this is happening for you, but I have the following problem, which may be related. With a fresh install of OSE 3.3 and deploying EFK from brew as version 3.3, the server ends up looping through the following URL back to sign-in:

https://kibana.example.com/auth/openshift/callback?error=server_error&error_description=The+authorization+server+encountered+an+unexpected+condition+that+prevented+it+from+fulfilling+the+request.

OpenShift logs indicate this is due to token scope restrictions. If I `oc edit oauthclient/kibana-proxy` I see the following section which is new from this version:

scopeRestrictions:
- literals:
  - user:info
  - user:check-access
  - user:list-projects

If I remove this, I can login and access Kibana as usual. I'm researching the best way to address this during the deployment; in the meantime you can do it manually.

The fact that you could visit URLs from the console, but not log in directly, tends to indicate that there is something wrong with the OAuth process, though it's not necessarily the same as this, it seemed likely to be related.
Comment 14 chunchen 2016-08-03 06:16:45 UTC 
According to Comment #10, this bug is not a testblocker any more, so removed the TestBlocker keyword.
Comment 17 chunchen 2016-08-09 07:10:41 UTC 
It's fixed, checked with the latest logging images as below:

brew-pulp-docker01.web...com:8888/openshift3/logging-auth-proxy      3.3.0               196ecb30fc93
brew-pulp-docker01.web...com:8888/openshift3/logging-elasticsearch   3.3.0               e71d2b04669c
brew-pulp-docker01.web...com:8888/openshift3/logging-fluentd         3.3.0               80847240fa91
brew-pulp-docker01.web...com:8888/openshift3/logging-deployer        3.3.0               1c127f4f36a0
brew-pulp-docker01.web...com:8888/openshift3/logging-curator         3.3.0               2c88e1273c11
brew-pulp-docker01.web...com:8888/openshift3/logging-kibana          3.3.0               32d276bb46ae
Comment 18 Luke Meyer 2016-08-09 13:30:33 UTC 
Great, thanks for testing.