Bug 1567812 - Cluster role "view" allows direct accesses to elasticsearch on the aggregated logging
Summary: Cluster role "view" allows direct accesses to elasticsearch on the aggregated...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Logging
Version: 3.7.0
Hardware: Unspecified
OS: Linux
unspecified
low
Target Milestone: ---
: ---
Assignee: Jeff Cantrill
QA Contact: Anping Li
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-04-16 09:08 UTC by Daein Park
Modified: 2018-04-16 13:07 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-04-16 13:07:34 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)

Description Daein Park 2018-04-16 09:08:02 UTC
Description of problem:

I thought initially I should have the "cluster-admin" or "cluster-reader" if I want to access to elasticsearch after reading [0] reference.

But it's not true.
If you have any roles which have 'get' verbs of 'pods/log' resource, you can access directly to elasticsearch without any restrictions.
I don't know what differences have between "view" and "cluster-reader" roles when access to elasticsearch.

[0] Allowing cluster-reader to view operations logs
[https://docs.openshift.com/container-platform/3.7/install_config/aggregate_logging.html#aggregated-elasticsearch]

Version-Release number of selected component (if applicable):

* OCP
oc v3.7.23
kubernetes v1.7.6+a08f5eeb62
features: Basic-Auth GSSAPI Kerberos SPNEGO

Server https://lb0h.ocp37.host.local:8443
openshift v3.7.23
kubernetes v1.7.6+a08f5eeb62

* Aggregated Logging
Kibana: 4.6.4
Elasticsearch: 2.4.4


How reproducible:
* Create the serviceaccount and add "view" role or any role including following rules.

~~~
apiVersion: v1
kind: ClusterRole
metadata:
  annotations:
    openshift.io/description: Access to elasticsearch
    openshift.io/reconcile-protect: "false"
  creationTimestamp: null
  name: getlogs
rules:
- apiGroups:
  - ""
  attributeRestrictions: null
  resources:
  - pods/log
  verbs:
  - get
~~~

e.g.>
# oc create sa testsa
# oc adm policy add-cluster-role-to-user view -z testsa

* And you can test with curl command as follows.
# curl -sk -H "Authorization: Bearer $(oc sa get-token testsa)"  -H "X-Forwarded-For: 127.0.0.1" 'https://elasticsearch-route.app.example.com/_search?q=*&pretty'



Steps to Reproduce:
1.
2.
3.

Actual results:
You can search any logs if you have roles that have 'get' verbs of 'pods/log' resource rules.


Expected results:
We cannot access to elasticsearch without cluster-admin or cluster-reader roles.

Additional info:
We need more specific information of roles based on openshift for controlling access of elasticsearch from external sources.

Comment 1 Jeff Cantrill 2018-04-16 13:07:34 UTC
Sounds like you are describing logging is functioning as designed.  User's with a 'cluster-reader' role or who can see the infra namespaces (e.g. default, logging) are able to see logs from the entire cluster.  User's who can 'get pod logs' are able to see only the logs in their namespaces.


Note You need to log in before you can comment on or make changes to this bug.