Description of problem:
I thought initially I should have the "cluster-admin" or "cluster-reader" if I want to access to elasticsearch after reading  reference.
But it's not true.
If you have any roles which have 'get' verbs of 'pods/log' resource, you can access directly to elasticsearch without any restrictions.
I don't know what differences have between "view" and "cluster-reader" roles when access to elasticsearch.
 Allowing cluster-reader to view operations logs
Version-Release number of selected component (if applicable):
features: Basic-Auth GSSAPI Kerberos SPNEGO
* Aggregated Logging
* Create the serviceaccount and add "view" role or any role including following rules.
openshift.io/description: Access to elasticsearch
# oc create sa testsa
# oc adm policy add-cluster-role-to-user view -z testsa
* And you can test with curl command as follows.
# curl -sk -H "Authorization: Bearer $(oc sa get-token testsa)" -H "X-Forwarded-For: 127.0.0.1" 'https://elasticsearch-route.app.example.com/_search?q=*&pretty'
Steps to Reproduce:
You can search any logs if you have roles that have 'get' verbs of 'pods/log' resource rules.
We cannot access to elasticsearch without cluster-admin or cluster-reader roles.
We need more specific information of roles based on openshift for controlling access of elasticsearch from external sources.
Sounds like you are describing logging is functioning as designed. User's with a 'cluster-reader' role or who can see the infra namespaces (e.g. default, logging) are able to see logs from the entire cluster. User's who can 'get pod logs' are able to see only the logs in their namespaces.