Bug 1512495
| Summary: | [3.6.1]some indices name miss in kibana | ||||||
|---|---|---|---|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Anping Li <anli> | ||||
| Component: | Logging | Assignee: | Rich Megginson <rmeggins> | ||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Anping Li <anli> | ||||
| Severity: | high | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 3.6.1 | CC: | aos-bugs, bleanhar, jcantril, juzhao, pweil, rmeggins, stwalter, wsun | ||||
| Target Milestone: | --- | Keywords: | Regression | ||||
| Target Release: | 3.6.z | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: |
Cause: The multi tenancy plugin in Elasticsearch was inadvertently changed, while fixing another bug, not to look up projects for the user upon every login.
Consequence: The list of projects was not displayed properly.
Fix: The multi tenancy plugin in Elasticsearch was changed back to look up projects for the user upon every login
Result: The list of projects is displayed properly.
|
Story Points: | --- | ||||
| Clone Of: | 1511432 | Environment: | |||||
| Last Closed: | 2018-06-01 17:32:04 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | 1511432, 1530866 | ||||||
| Bug Blocks: | |||||||
| Attachments: |
|
||||||
|
Comment 2
Rich Megginson
2017-11-13 19:48:50 UTC
@Rich, it is not a test block. We can continue following https://bugzilla.redhat.com/show_bug.cgi?id=1511432#c15. It should be a regression bug expect for we don't suggest logging in in using kibana route. The issue exists in logging-elasticsearch:v3.6.173.0.63, logging-kibana: v3.6.173.0.63,logging-fluentd:v3.6.173.0.63 user can see the project indices by using workaround https://bugzilla.redhat.com/show_bug.cgi?id=1511432#c15 But if there are a lot of projects, it will make customers disappointed if we let customers do the workaround manually Tested with v3.6.173.0.78-1 logging images, these images contain the fix of https://bugzilla.redhat.com/show_bug.cgi?id=1510118 (MBARGOED CVE-2017-12195 security: OpenShift Enterprise 3: authentication bypass for elasticsearch with external routes [openshift-enterprise-3.6]) project indices could be found in kibana UI, see the attached file Created attachment 1357322 [details]
project indices could be found on kibana UI.
What permissions are required for the workaround in #c15 of parent bug: https://bugzilla.redhat.com/show_bug.cgi?id=1511432 ? I created 2 users, "biguser" and "littleuser". I gave "admin" role to "biguser" and "view" role to "littleuser" and neither were able to configure the pattern "project.*". I had assumed they would be able to see the pattern but only projects they have access to would work. Giving cluster-admin to biguser allows it to see project.*, of course. Is there another workaround for non-cluster-admin users? For context, customer was trying to use project.* to workaround another issue where when trying to look at individual project index they get messages like: As a cluster-admin: Discover: "project.example.4e03e3cb-f0c2-11e7-9a3d-001a4aa86606.*" is not a configured pattern. Using the default index pattern: ".all" I do still see log data. An unprivileged user sees this: Discover: "project.example.4e03e3cb-f0c2-11e7-9a3d-001a4aa86606.*" is not a configured pattern. Using the default index pattern: "project.empty-project.*" They do not see any log data. I put this here instead of parent bug because it is 3.6 The issue wasn't in 3.6.173.0.96 which will be release soon. Moving this to 'ON_QA' based on c#9 |