Red Hat Bugzilla – Bug 1494239
Fluentd unable to write to Elastic Search when LDAP distinguished names are used as usernames
Last modified: 2018-01-03 23:35:47 EST
Description of problem: If a user has a username/identity as an LDAP distinguished name, fluentd is unable to authenticate and push it's logs into Elasticsearch. Version-Release number of selected component (if applicable): OCP 3.6 How reproducible: Always Steps to Reproduce: 1. Create an LDAP identity provider in OpenShift that pulls a username with a long DN like: "CN=jdoe,OU=DL IT,OU=User Accounts,DC=example,DC=com" 2. Login to OpenShift, create a project with an app that logs. 3. Click on View Archive Actual results: Kibana throws the following error: Discover: "project.shaun.xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx.*' is not a configured pattern. Using the default index pattern: "project..empty-project.*" Discover: [exception] The index 'project..empty-project.*' was not found. This could mean data has not been yet collected. No logs get injected into Elastic Search. Expected results: Kibana shows application logs. Additional info:
The results provided are not necessarily related to the title of the issue. 'Empty project' is just a placeholder that no data has been collected for your index. We really need additional information to determine the issue. I suggest running [1] and attaching the output. Also, can you provide the steps you used to identify the issue? Did you infact enter a user name of 'CN=jdoe,OU=DL IT,OU=User Accounts,DC=example,DC=com' in the openshift login page? This seems unmanagable from the users perspective. [1]https://github.com/openshift/origin-aggregated-logging/blob/master/hack/logging-dump.sh
The username we entered was the CN alone. However, when doing an `oc whoami` it presented the full distinguished name. So did the output of `oc get names` and `oc get identity`. It was also displayed in the WebUI when doing a logout operation.
*** This bug has been marked as a duplicate of bug 1456584 ***
Reopening as the dup is the wrong issue
Commits pushed to master at https://github.com/openshift/origin-aggregated-logging https://github.com/openshift/origin-aggregated-logging/commit/ef7a1f568f31f89c64a67a7b41fb09b9efbf08c7 bump openshift-elasticsearch-plugin to 2.4.4.16 to fix: bug 1494239. fix handling of ldap names for username bug 1456584. fix handling of active directory username remove non-ops 'all' alias https://github.com/openshift/origin-aggregated-logging/commit/a45858e52fabca8e805631851174a8cec63b43ca Merge pull request #741 from jcantrill/plugin_bump_24416 Automatic merge from submit-queue. bump openshift-elasticsearch-plugin to 2.4.4.16 to fix bug 1494239. fix handling of ldap names for username bug 1456584. fix handling of active directory username remove non-ops 'all' alias
@Samuel, The bug target is v3.6, Could you move the bug to v3.6 errata?
QE couldn't reproduce this issue. so regression have been executed. The test pass both OpenLDAP and Active Directory LDAP. so move bug to verified. Test version: logging-elasticsearch/images/3.6.173.0.63-10 openshift-elasticsearch-plugin-2.4.4.17__redhat_1-1.el7.noarch
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2017:3389