Hide Forgot
Created attachment 1213426 [details] es_log Description of problem: Encounter "[Security_exception]No permission for indices:data/read/msearch" after logged in Kibana UI, and see error status 403 and 404 on java console panel, please refer to the attached screenshot for detailed error stacks. Version-Release number of selected component (if applicable): Built out image from https://github.com/openshift/origin-aggregated-logging openshift v1.4.0-alpha.0+c94f61a kubernetes v1.4.0+776c994 etcd 3.1.0-alpha.1 How reproducible: About 50%, mostly happen for every user's first login Steps to Reproduce: 0.Start docker with journal log driver 1.Define local builds according to https://github.com/openshift/origin-aggregated-logging#defining-local-builds 2.Deploy logging with the built out images (OPS cluster is set to false, use_journal set to true). 3.Login kibana UI with different users Actual results: Encounter "[Security_exception]No permission for indices:data/read/msearch" on kibana UI. Expected results: Should not encounter "[Security_exception]No permission for indices:data/read/msearch" on kibana UI Additional info: es pod log attached screenshot attached Issue reproduced when docker log driver is set to both json file and journal.
Created attachment 1213427 [details] kibana_log
Created attachment 1213428 [details] flunetd_log
Created attachment 1213429 [details] screenshot
Hi Eric, Thanks for pointing out this change. After adding this new step during logging deployment, this issue did not happen anymore: oadm policy add-cluster-role-to-user rolebinding-reader system:serviceaccount:logging:aggregated-logging-elasticsearch Please transfer this back for closure. Thanks, Xia
Verified on openshift v1.4.0-alpha.0+c94f61a kubernetes v1.4.0+776c994 etcd 3.1.0-alpha.1 Fixed after adding oadm policy add-cluster-role-to-user rolebinding-reader system:serviceaccount:logging:aggregated-logging-elasticsearch in logging deployment process