1492576 – [trello O6MCrGUx]Can't save searches, visulizations and dashboards in shared_ops mode

Bug 1492576 - [trello O6MCrGUx]Can't save searches, visulizations and dashboards in shared_ops mode

Summary: [trello O6MCrGUx]Can't save searches, visulizations and dashboards in shared_...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Logging
Sub Component:
Version:	3.7.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	---
Target Release:	3.7.0
Assignee:	Jeff Cantrill
QA Contact:	Anping Li
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-09-18 08:32 UTC by Xia Zhao
Modified:	2017-11-28 22:11 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	Cause: Users don't have write permissions to the Kibana index Consequence: Security Exception Fix: Give users write permissions to the Kibana index Result:
Clone Of:
Environment:
Last Closed:	2017-11-28 22:11:25 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
error screeshot (130.74 KB, image/png) 2017-09-18 08:32 UTC, Xia Zhao	no flags	Details
searches could be saved and loaded (205.48 KB, image/png) 2017-10-26 05:51 UTC, Junqi Zhao	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2017:3188	0	normal	SHIPPED_LIVE	Moderate: Red Hat OpenShift Container Platform 3.7 security, bug, and enhancement update	2017-11-29 02:34:54 UTC

Description Xia Zhao 2017-09-18 08:32:20 UTC

Created attachment 1327265 [details]
error screeshot

Description of problem:
Can't save searches, visulizations and dashboards as both cluster-admin and ordinary users in shared_ops mode:

Discover: Request to Elasticsearch failed: "[security_exception] no permissions for indices:data/write/index"

Error: Request to Elasticsearch failed: "[security_exception] no permissions for indices:data/write/index"
KbnError@https://kibana.${subdomain}/bundles/commons.bundle.js?v=10229:57511:21
RequestFailure@https://kibana.${subdomain}/bundles/commons.bundle.js?v=10229:57544:6
__WEBPACK_AMD_DEFINE_RESULT__</</</<@https://kibana.${subdomain}/bundles/commons.bundle.js?v=10229:97666:16
processQueue@https://kibana.${subdomain}/bundles/commons.bundle.js?v=10229:42452:29
scheduleProcessQueue/<@https://kibana.${subdomain}/bundles/commons.bundle.js?v=10229:42468:28
$RootScopeProvider/this.$get</Scope.prototype.$eval@https://kibana.${subdomain}/bundles/commons.bundle.js?v=10229:43696:17
$RootScopeProvider/this.$get</Scope.prototype.$digest@https://kibana.${subdomain}/bundles/commons.bundle.js?v=10229:43507:16
$RootScopeProvider/this.$get</Scope.prototype.$apply@https://kibana.${subdomain}/bundles/commons.bundle.js?v=10229:43804:14
done@https://kibana.${subdomain}/bundles/commons.bundle.js?v=10229:38253:37
completeRequest@https://kibana.${subdomain}/bundles/commons.bundle.js?v=10229:38451:8
requestLoaded@https://kibana.${subdomain}/bundles/commons.bundle.js?v=10229:38392:10

Issue did not repro in unique mode

Version-Release number of selected component (if applicable):
logging-kibana          v3.7                cecca4258b8a        2 days ago          618 MB
logging-auth-proxy      v3.7                d0dbe597a63c        2 days ago          218.2 MB

# openshift version
openshift v3.7.0-0.126.4
kubernetes v1.7.0+80709908fd
etcd 3.2.1

How reproducible:
always

Steps to Reproduce:
1.Deploy logging v3.7 stacks with this parameter specified in inventory file:
openshift_logging_elasticsearch_kibana_index_mode=shared_ops
2.Login kibana with both cluster-admin or ordinary users
3.Try to save a query, visulization or dashboard

Actual results:
Get error: Discover: Request to Elasticsearch failed: "[security_exception] no permissions for indices:data/write/index"

Expected results:
query, visulization or dashboard should be saved successfully

Additional info:
Error screenshot attached

Comment 1 Jeff Cantrill 2017-09-18 13:16:47 UTC

Will be fixed by:

https://github.com/openshift/origin-aggregated-logging/pull/641

Comment 2 Xia Zhao 2017-09-25 09:29:18 UTC

Reproduced on openshift v3.7.0-0.126.6, ansible version: openshift-ansible-playbooks-3.7.0-0.126.6.git.0.a60fe67.el7.noarch

logging images tested with:
${brew_registry}/openshift3/logging-kibana          v3.7                8a8d97e2e52d        3 days ago          618 MB
${brew_registry}/openshift3/logging-elasticsearch   v3.7                f02ad2ceb2fe        3 days ago          438.1 MB
${brew_registry}/openshift3/logging-fluentd         v3.7                e51eed14dd9a        3 days ago          235.1 MB
${brew_registry}/openshift3/logging-auth-proxy      v3.7                8b446c84fceb        3 days ago          218.2 MB
${brew_registry}/openshift3/logging-curator         v3.7                5775172f7c24        3 days ago          222.3 MB

Comment 3 Xia Zhao 2017-09-25 09:32:51 UTC

Issue was even reproduced on unique mode with Comment #2.

Comment 5 Anping Li 2017-10-11 05:19:10 UTC

The index can be saved with v3.7.0-0.143.1.1. so move to verified.

Comment 6 Peter Portante 2017-10-12 22:38:44 UTC

We are seeing this same problem on starter-ca-central-1 today, oc version v3.6.173.0.7, logging version v3.6.173.0.37.

Comment 7 Junqi Zhao 2017-10-26 05:50:10 UTC

Tested with images from stage repo,  searches, visulizations and dashboards could be saved in shared_ops mode.
See the attached picture, take save searches for example, there have 3 saved searches, and load these searches could get correct result, no error is found.

env:
openshift v3.6.173.0.59


rpm -qa | grep openshift-ansible*
openshift-ansible-docs-3.6.173.0.59-1.git.0.0e31372.el7.noarch
openshift-ansible-lookup-plugins-3.6.173.0.59-1.git.0.0e31372.el7.noarch
openshift-ansible-3.6.173.0.59-1.git.0.0e31372.el7.noarch
openshift-ansible-callback-plugins-3.6.173.0.59-1.git.0.0e31372.el7.noarch
openshift-ansible-roles-3.6.173.0.59-1.git.0.0e31372.el7.noarch
openshift-ansible-filter-plugins-3.6.173.0.59-1.git.0.0e31372.el7.noarch
openshift-ansible-playbooks-3.6.173.0.59-1.git.0.0e31372.el7.noarch

Images:
logging-curator-v3.6.173.0.49-4
logging-elasticsearch-v3.6.173.0.49-5
logging-fluentd-v3.6.173.0.49-4
logging-fluentd-v3.6.173.0.49-4
logging-kibana-v3.6.173.0.49-5

Comment 8 Junqi Zhao 2017-10-26 05:51:43 UTC

Created attachment 1343542 [details]
searches could be saved and loaded

Comment 9 Peter Portante 2017-10-26 10:54:23 UTC

Should we only verify this against 3.7 images?

Comment 10 Peter Portante 2017-10-26 11:16:00 UTC

Was this an install of 3.6 using openshift-ansible 3.6.173.0.59, but all image versions of OCP and Logging at 3.6.173.0.49?

Comment 12 Junqi Zhao 2017-10-27 00:45:11 UTC

Change logging Images in Comment 7 to:
logging-auth-proxy-v3.6.173.0.49-4
logging-curator-v3.6.173.0.49-4
logging-elasticsearch-v3.6.173.0.49-5
logging-fluentd-v3.6.173.0.49-4
logging-kibana-v3.6.173.0.49-5

Comment 19 errata-xmlrpc 2017-11-28 22:11:25 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:3188

Note You need to log in before you can comment on or make changes to this bug.