Description of problem: In https://docs.openshift.com/container-platform/3.7/install_config/aggregate_logging.html. it introduce the inventory variable openshift_logging_es_ops_allow_cluster_reader -- Set to true if cluster-reader role is allowed to read operation logs. When I set this variable to ture. After logging is deployed. I found the openshift.operations.allow_cluster_reader is false in logging-elasticsearch-ops configmap. It seems openshift_logging_es_ops_allow_cluster_reader wasn't mapped with openshift_logging_elasticsearch_ops_allow_cluster_reader in roles/openshift_logging. Another issue is that when openshift.operations.allow_cluster_reader is false, the cluseter-reader roles user still can view .operations index. Version-Release number of selected component (if applicable): openshift-ansible-3.7.14-1.git.0.4b35b2d.el7.noarch openshift:v3.7.22 How reproducible: always Steps to Reproduce: 1. deploy loggging with the following inventory variables openshift_logging_install_logging=true openshift_logging_use_ops=true openshift_logging_es_ops_allow_cluster_reader=true 2. Check the configmap # oc get configmap logging-elasticsearch-ops -o yaml |grep reader 3. Login in as a cluster-reader users in kibana-ops Actual results: Step 2: # oc get configmap logging-elasticsearch -o yaml |grep reader openshift.operations.allow_cluster_reader: false Step 3: the cluster-reader can view .operations logs in kibana Expected results: openshift-ansible can use openshift_logging_es_ops_allow_cluster_reader to enable/disable cluster reader. cluster-reader user couldn't view .operations logs when allow_cluster_reader: false Additional info:
I believe this setting is no longer relevant and should be removed. Can you please verify someone with cluster-reader access is able to view operational logs? The permission is granted based upon the SAR[1] which is who can 'get pod logs' in all namespaces [1] https://github.com/fabric8io/openshift-elasticsearch-plugin/blob/master/src/main/java/io/fabric8/elasticsearch/util/RequestUtils.java#L82
Jeff, Agree to remove this options. For the cluster-read role can access the .operations index no matter what openshift.operations.allow_cluster_reader is.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:0636