Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1722218

Summary: No index-level perm match for User
Product: OpenShift Container Platform Reporter: Steven Walter <stwalter>
Component: LoggingAssignee: Jeff Cantrill <jcantril>
Status: CLOSED DUPLICATE QA Contact: Anping Li <anli>
Severity: high Docs Contact:
Priority: unspecified    
Version: 3.11.0CC: aos-bugs, jcantril, jmalde, rmeggins
Target Milestone: ---   
Target Release: 3.11.z   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-07-02 20:31:11 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Steven Walter 2019-06-19 17:52:52 UTC 
Description of problem:
Kibana shows 504 gateway timeout for some users. It appears to affect users with access to multiple projects (like 50+), and only users who are not cluster-admin

Looking at ES logs we see permission-level issues

Version-Release number of selected component (if applicable):
        image: registry.access.redhat.com/openshift3/ose-logging-elasticsearch5:v3.11.98

Actual results:

[2019-06-17T19:16:48,113][INFO ][c.f.s.c.PrivilegesEvaluator] No index-level perm match for User [name=EXAMPLE, roles=[gen_kibana_a5a035838735c80a0a3509bcca1a95e3a8b46229, gen_user_a5a035838735c80a0a3509bcca1a95e3a8b46229]] [IndexType [index=.kibana.a5a035838735c80a0a3509bcca1a95e3a8b46229, type=*]] [Action [[indices:data/read/search]]] [RolesChecked []]
[2019-06-17T19:16:48,113][INFO ][c.f.s.c.PrivilegesEvaluator] No permissions for {}
[2019-06-17T19:20:32,368][ERROR][i.f.e.p.a.DynamicACLFilter] Error handling request
org.elasticsearch.ElasticsearchException: [.kibana.a5a035838735c80a0a3509bcca1a95e3a8b46229/8zuilgwOS_-szXzpE3fztg][[.kibana.a5a035838735c80a0a3509bcca1a95e3a8b46229][0]] VersionConflictEngineException[[config][5.6.13]: version conflict, document already exists (current version [1])]


Additional info:
ES is well sized (32Gb mem), i/o is adequate, doesnt appear to be a performance problem

Customer tried deleting the user's .kibana index and the user cleared cache and cookies and tried again, same issue
Comment 5 Jeff Cantrill 2019-06-21 14:36:43 UTC 
Possibly a duplicate of https://bugzilla.redhat.com/show_bug.cgi?id=1705589
Comment 7 Jeff Cantrill 2019-07-02 20:31:11 UTC 

*** This bug has been marked as a duplicate of bug 1726433 ***