Bug 1731006 - Prometheus metrics for ES are unavailable after plugin update to
Summary: Prometheus metrics for ES are unavailable after plugin update to
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Logging
Version: 4.1.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 4.1.z
Assignee: Jeff Cantrill
QA Contact: Anping Li
Depends On: 1729297
Blocks: 1728856
TreeView+ depends on / blocked
Reported: 2019-07-18 06:36 UTC by Jeff Cantrill
Modified: 2020-01-27 13:56 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: The authentication class is instantiated multiple times with and without the desired configuration Consequence: User's are denied access to metrics Fix: Add SAR config to the authentication_backend Result: Multi-tenant plugin executes SARs and allows access to metrics
Clone Of: 1729297
Last Closed: 2019-07-31 02:44:57 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Github openshift origin-aggregated-logging pull 1697 'None' closed [release-4.1] Bug 1731006: Add authentication config to properly check SAR for addi… 2020-01-27 13:55:34 UTC
Red Hat Product Errata RHBA-2019:1866 None None None 2019-07-31 02:45:00 UTC

Description Jeff Cantrill 2019-07-18 06:36:48 UTC
+++ This bug was initially created as a clone of Bug #1729297 +++

+++ This bug was initially created as a clone of Bug #1728856 +++

Description of problem:
Updating to the latest version of the multi-tenant plugin blocks viewing by metrics unless you have cluster admin rights

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Deploy logging
2. Set up an SA that can scrape metrics
3. curl -kv -H"Authorization: Bearer $(oc serviceaccounts get-token metrics-test)"

Actual results: 403

Expected results: 200

Additional info: https://github.com/openshift/origin-aggregated-logging/issues/1686

Comment 2 Anping Li 2019-07-25 05:01:42 UTC
The sa prometheus-k8s can fetch metrics from es. 
sh-4.2# curl -k -H "Authorization: Bearer $token" -H "Content-type: application/json"
# HELP es_index_segments_memory_bytes Memory used by segments
# TYPE es_index_segments_memory_bytes gauge
es_index_segments_memory_bytes{cluster="elasticsearch",type="points",index=".kibana",context="total",} 0.0
es_index_segments_memory_bytes{cluster="elasticsearch",type="norms",index=".operations.2019.07.25",context="primaries",} 47552.0
es_index_segments_memory_bytes{cluster="elasticsearch",type="indexwriter",index=".kibana",context="primaries",} 0.0
es_index_segments_memory_bytes{cluster="elasticsearch",type="docvalues",index=".searchguard",context="primaries",} 636.0
es_index_segments_memory_bytes{cluster="elasticsearch",type="termvectors",index=".kibana",context="total",} 0.0
es_index_segments_memory_bytes{cluster="elasticsearch",type="versionmap",index=".operations.2019.07.25",context="total",} 63240.0
es_index_segments_memory_bytes{cluster="elasticsearch",type="terms",index=".operations.2019.07.25",context="primaries",} 537727.0

Comment 4 Anping Li 2019-07-30 03:01:00 UTC
Also verified using registry.redhat.io/openshift4/ose-logging-elasticsearch5:v4.1.4-201906271212.

Comment 6 errata-xmlrpc 2019-07-31 02:44:57 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.