1533386 – openshift_logging_es_ops_allow_cluster_reader doesn't work

Bug 1533386 - openshift_logging_es_ops_allow_cluster_reader doesn't work

Summary: openshift_logging_es_ops_allow_cluster_reader doesn't work

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Logging
Sub Component:
Version:	3.7.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	---
Target Release:	3.7.z
Assignee:	Jeff Cantrill
QA Contact:	Anping Li
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-01-11 08:54 UTC by Anping Li
Modified:	2018-04-05 09:35 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	No Doc Update
Doc Text:	undefined
Clone Of:
Environment:
Last Closed:	2018-04-05 09:35:31 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2018:0636	0	None	None	None	2018-04-05 09:35:55 UTC

Description Anping Li 2018-01-11 08:54:20 UTC

Description of problem:
In https://docs.openshift.com/container-platform/3.7/install_config/aggregate_logging.html. it introduce the inventory variable openshift_logging_es_ops_allow_cluster_reader -- Set to true if cluster-reader role is allowed to read operation logs.  

When I set this variable to ture. After logging is deployed. I found the openshift.operations.allow_cluster_reader is false in logging-elasticsearch-ops configmap. It seems openshift_logging_es_ops_allow_cluster_reader wasn't mapped with openshift_logging_elasticsearch_ops_allow_cluster_reader in roles/openshift_logging.

Another issue is that when openshift.operations.allow_cluster_reader is false,  the cluseter-reader roles  user still can view .operations index. 


Version-Release number of selected component (if applicable):
openshift-ansible-3.7.14-1.git.0.4b35b2d.el7.noarch
openshift:v3.7.22

How reproducible:
always

Steps to Reproduce:
1. deploy loggging with the following inventory variables
openshift_logging_install_logging=true
openshift_logging_use_ops=true
openshift_logging_es_ops_allow_cluster_reader=true

2. Check the configmap
# oc get configmap logging-elasticsearch-ops -o yaml |grep reader

3. Login in as a cluster-reader users in kibana-ops

Actual results:

Step 2: 
# oc get configmap logging-elasticsearch -o yaml |grep reader
    openshift.operations.allow_cluster_reader: false

Step 3: the cluster-reader can view .operations logs in kibana



Expected results:

openshift-ansible can use openshift_logging_es_ops_allow_cluster_reader to enable/disable cluster reader.

cluster-reader user couldn't view .operations logs when allow_cluster_reader: false



Additional info:

Comment 1 Jeff Cantrill 2018-01-16 16:26:06 UTC

I believe this setting is no longer relevant and should be removed.  Can you please verify someone with cluster-reader access is able to view operational logs?  The permission is granted based upon the SAR[1] which is who can 'get pod logs' in all namespaces

[1] https://github.com/fabric8io/openshift-elasticsearch-plugin/blob/master/src/main/java/io/fabric8/elasticsearch/util/RequestUtils.java#L82

Comment 2 Anping Li 2018-01-17 07:57:02 UTC

Jeff, 
Agree to remove this options. For the cluster-read role can access the .operations index no matter what openshift.operations.allow_cluster_reader is.

Comment 6 errata-xmlrpc 2018-04-05 09:35:31 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0636

Note You need to log in before you can comment on or make changes to this bug.