Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be unavailable on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 1494239 - Fluentd unable to write to Elastic Search when LDAP distinguished names are used as usernames
Summary: Fluentd unable to write to Elastic Search when LDAP distinguished names are u...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Logging
Version: 3.6.1
Hardware: x86_64
OS: Linux
unspecified
high
Target Milestone: ---
: 3.6.z
Assignee: Jeff Cantrill
QA Contact: Anping Li
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-09-21 19:31 UTC by Nick Schuetz
Modified: 2020-12-14 10:11 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: openshift-elasticsearch-plugin was creating ACL roles based on the provided name which could include slashes and commas. Consequence: This caused the dependent lib to not properly evaluate roles Fix: Hash the name when creating ACL roles so they no longer contain the invalid characters Result: AD users can use kibana and logging
Clone Of:
Environment:
Last Closed: 2017-12-07 07:11:23 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift openshift-elasticsearch-plugin pull 108 0 None None None 2020-09-09 18:38:28 UTC
Github openshift origin-aggregated-logging pull 741 0 None closed bump openshift-elasticsearch-plugin to 2.4.4.16 to fix 2020-09-09 18:38:29 UTC
Github openshift origin-aggregated-logging pull 750 0 None closed 24416 for 36 2020-09-09 18:38:28 UTC
Red Hat Product Errata RHSA-2017:3389 0 normal SHIPPED_LIVE Moderate: Red Hat OpenShift Enterprise security, bug fix, and enhancement update 2017-12-07 12:09:10 UTC

Description Nick Schuetz 2017-09-21 19:31:10 UTC
Description of problem:

If a user has a username/identity as an LDAP distinguished name, fluentd is unable to authenticate and push it's logs into Elasticsearch.

Version-Release number of selected component (if applicable):

OCP 3.6

How reproducible:

Always

Steps to Reproduce:
1. Create an LDAP identity provider in OpenShift that pulls a username with a long DN like: "CN=jdoe,OU=DL IT,OU=User Accounts,DC=example,DC=com"
2. Login to OpenShift, create a project with an app that logs.
3. Click on View Archive 

Actual results:

Kibana throws the following error:

Discover: "project.shaun.xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx.*' is not a configured pattern.  Using the default index pattern: "project..empty-project.*"
Discover: [exception] The index 'project..empty-project.*' was not found.  This could mean data has not been yet collected.

No logs get injected into Elastic Search.

Expected results:

Kibana shows application logs.

Additional info:

Comment 1 Jeff Cantrill 2017-09-21 22:41:20 UTC
The results provided are not necessarily related to the title of the issue.  'Empty project' is just a placeholder that no data has been collected for your index.  We really need additional information to determine the issue.  I suggest running [1] and attaching the output.

Also, can you provide the steps you used to identify the issue?  Did you infact enter a user name of 'CN=jdoe,OU=DL IT,OU=User Accounts,DC=example,DC=com' in the openshift login page?  This seems unmanagable from the users perspective.

[1]https://github.com/openshift/origin-aggregated-logging/blob/master/hack/logging-dump.sh

Comment 3 Nick Schuetz 2017-09-22 00:12:19 UTC
The username we entered was the CN alone. However, when doing an `oc whoami` it presented the full distinguished name. So did the output of `oc get names` and `oc get identity`. It was also displayed in the WebUI when doing a logout operation.

Comment 6 Jeff Cantrill 2017-10-06 15:04:02 UTC

*** This bug has been marked as a duplicate of bug 1456584 ***

Comment 7 Jeff Cantrill 2017-10-06 19:30:38 UTC
Reopening as the dup is the wrong issue

Comment 8 openshift-github-bot 2017-10-25 17:05:39 UTC
Commits pushed to master at https://github.com/openshift/origin-aggregated-logging

https://github.com/openshift/origin-aggregated-logging/commit/ef7a1f568f31f89c64a67a7b41fb09b9efbf08c7
bump openshift-elasticsearch-plugin to 2.4.4.16 to fix:
bug 1494239. fix handling of ldap names for username
bug 1456584. fix handling of active directory username
remove non-ops 'all' alias

https://github.com/openshift/origin-aggregated-logging/commit/a45858e52fabca8e805631851174a8cec63b43ca
Merge pull request #741 from jcantrill/plugin_bump_24416

Automatic merge from submit-queue.

bump openshift-elasticsearch-plugin to 2.4.4.16 to fix

bug 1494239. fix handling of ldap names for username
bug 1456584. fix handling of active directory username
remove non-ops 'all' alias

Comment 10 Anping Li 2017-11-07 03:03:28 UTC
@Samuel,
The bug target is v3.6, Could you move the bug to v3.6 errata?

Comment 13 Anping Li 2017-11-14 09:54:05 UTC
QE couldn't reproduce this issue.  so regression have been executed. The test pass both OpenLDAP and Active Directory LDAP.  so move bug to verified.

Test version: 
logging-elasticsearch/images/3.6.173.0.63-10
openshift-elasticsearch-plugin-2.4.4.17__redhat_1-1.el7.noarch

Comment 16 errata-xmlrpc 2017-12-07 07:11:23 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:3389


Note You need to log in before you can comment on or make changes to this bug.