Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1637156

Summary: Configure logging for external log collector access - auth, searchguard
Product: OpenShift Container Platform Reporter: Rich Megginson <rmeggins>
Component: RFEAssignee: Jeff Cantrill <jcantril>
Status: CLOSED WONTFIX QA Contact: Xiaoli Tian <xtian>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 3.11.0CC: aos-bugs, jokerman, mmccomas, rmeggins
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-12 11:54:24 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1507407    

Description Rich Megginson 2018-10-08 19:07:47 UTC 
Copied from https://jira.coreos.com/browse/LOG-196

As a user of common logging, I want to be able to provide the authentication credentials which will be used by my log collectors to send logs to common logging.  I need to be able to

    pass certs, keys, and shared secrets securely
    configure common logging to use the CA certs I provide to authenticate the client cert auth users I will be using in my log collectors
    configure common logging to use the bearer tokens I will be using in my log collectors
    configure searchguard to allow the users I will be using in my log collectors to create and write to specified indices (e.g. project.foo., project.bar.), or patterns of indices (project.ovirt-*), or all indices (create and write to all indices - current fluentd user permissions)

I must be able to pass in secrets securely e.g. unencrypted keys must be protected e.g. ansible vault.  I must not be able to configure logging as an unauthenticated user - that is, we must prevent an attacker from being able to anonymously or using an unprivileged user configure logging to accept authentication which will allow the attacker create and write access to Elasticsearch.

For example, for client cert auth, I will pass in the CA cert file for the CA that issued the client cert; the username/subjectDN for the cert that will be used to authenticate; and a list of indices/index patterns/ALL.  Logging will be configured to allow client cert auth to Elasticsearch, and to allow the username/subjectDN to create and write the specified indices.

For token auth, I will pass in the username and a list of indices/index patterns/ALL.  Logging will be configured to accept bearer tokens and to allow a bearer token corresponding to the username to create and write the specified indices.

I should be able to pass in one or more users at a time - the interface should accept a list of auth objects.  Each auth object will contain the data necessary to configure that type of auth e.g. for client cert auth the auth object will contain the subjectDN/username and the indices/index patterns/ALL.  The CA cert is optional if the same CA was used to issue all of the cert used by Elasticsearch and the clients.  For token auth, the auth object will contain the username and the indices/index patterns/ALL.
Comment 1 Sandro Bonazzola 2018-12-03 08:45:39 UTC 
Any update?
Comment 4 Kirsten Newcomer 2019-06-12 11:54:24 UTC 
With the introduction of OpenShift 4, Red Hat has delivered or roadmapped a substantial number of features based on feedback by our customers.  Many of the enhancements encompass specific RFEs which have been requested, or deliver a comparable solution to a customer problem, rendering an RFE redundant.

This bz (RFE) has been identified as a feature request not yet planned or scheduled for an OpenShift release and is being closed. 

If this feature is still an active request that needs to be tracked, Red Hat Support can assist in filing a request in the new JIRA RFE system, as well as provide you with updates as the RFE progress within our planning processes. Please open a new support case: https://access.redhat.com/support/cases/#/case/new 

Opening a New Support Case: https://access.redhat.com/support/cases/#/case/new 

As the new Jira RFE system is not yet public, Red Hat Support can help answer your questions about your RFEs via the same support case system.