Description of problem: The logout function doesn't work properly in Kibana. After the user is logged out from the Kibana dashboard, user will be able to login again in the new tab again without having to put in the login credentials. Version-Release number of selected component (if applicable): OpenShift version Server Version: 4.2.14 Kubernetes Version: v1.14.6+b294fe5 How reproducible: Always Steps to Reproduce: 1. Login to the kibana console 2. Logout from the kibana 3. Open the <Kibana route> again in the new tab of the browser, and you will be logged in automatically. Actual results: Kibana console is not asking for the Login credentials after logging out. Expected results: Kibana Console should ask for the login ID & password after logging out from a previous session. Additional info: 1] Kibana is installed with the EFK stack (Cluster Logging operator). 2] Customer has checked opening the kibana in browser's incogito window too but still they are able to open the kibana dashboard without entering the credentials. One more point in the Additional Info about the incognito window behavior: 3] It is not that when user log out from Kibana and try to access the same Kibana in incognito mode, we still get redirected. In that case, we are asked to enter the password. But when we log out from Kibana in an incognito browser and try to access Kibana in the same incognito browser, we can access the GUI even without login again. So basically we experience the same behavior either in a normal browser or incognito browser.
Hi, Can you please clarify on step 3? > Open the <Kibana route> again in the new tab of the browser, and you will be logged in automatically. Are you saying that the user is clicking the link to the Kibana route from the console? > In that case, we are asked to enter the password. But when we log out from Kibana in an incognito browser and try to access Kibana in the same incognito browser, we can access the GUI even without login again. This sounds like this is more related to the oauth proxy issue holding onto your credentials than something Logging specific.
(In reply to Vedanti Jaypurkar from comment #3) > Hello Team, > > Below are the outputs from the Customer: > 3) Type/paste the Kibana URL [1] in a new tab on the same browser. You will > still get the redirected to the Kibana console as an already logged user. A new tab or a new private/incognito tab? If they use a private or icognito tab and are able to login using a different user this indicates its a browser caching issue that can be resolved by the user clearing their browser cache
(In reply to Jeff Cantrill from comment #4) > (In reply to Vedanti Jaypurkar from comment #3) > > Hello Team, > > > > Below are the outputs from the Customer: > > > 3) Type/paste the Kibana URL [1] in a new tab on the same browser. You will > > still get the redirected to the Kibana console as an already logged user. > > A new tab or a new private/incognito tab? -- If they hit the kibana URL in the same browser window/session, just by opening the same kibana URL in the 'New Tab', then they are getting logged in the kibana console directly without needing to enter the credentials. If they use a private or icognito > tab and are able to login using a different user this indicates its a > browser caching issue that can be resolved by the user clearing their > browser cache -- When opened the kibana URL in a fresh private or incognito window, they are asked for the password/credential which is an obvious thing, but what they actually want is once they are in the new incognito window and again when they are opening a new tab in that same incognito window then they are able to log in without putting in the credentials. So they don't want this behavior. They want something like they should get asked for credentials whenever they are opening URL in the new TAB in the same browser session/window. So in a gist, in both the scenarios "In the normal browser window && in the incognito window", they should get asked for the Credentials when they are trying to open the kibana URL in the NEW TAB of the same browser session. Hope it is clear Best, Shivkumar Hello Jeff,
(In reply to ewolinet from comment #2) > Hi, > > Can you please clarify on step 3? > > > Open the <Kibana route> again in the new tab of the browser, and you will be logged in automatically. > > Are you saying that the user is clicking the link to the Kibana route from > the console? -- Not from the console exactly, I was saying here when he hits the URL in the new tab of the browser window where in he was already logged into the kibana. And he opened the new tab and hit the URL in that same window, so CU wants to get asked for credentails when he is opening the kibana URL in the new tab. > > > > In that case, we are asked to enter the password. But when we log out from Kibana in an incognito browser and try to access Kibana in the same incognito browser, we can access the GUI even without login again. > > This sounds like this is more related to the oauth proxy issue holding onto > your credentials than something Logging specific. -- I have briefed to this query in #5, please check.
Since Kibana uses an annotation to redirect to the OCP cluster's oauth, the customer will need to adjust the session expiration for their cluster's oauth client. The default is 24 hours: https://docs.openshift.com/container-platform/4.1/authentication/configuring-internal-oauth.html#oauth-configuring-internal-oauth_configuring-internal-oauth
Test follow Comments 3, 21, 34. The user can logout as expected. Case 1: User can login out Kibana 1) Login Kibana as LDAP user 2) Log out Kibana 3) Login Kibana in a new Tab Result: Redirected to the OAuth console. Users need to select the OAuth type and log in again. case 2: User can log in out Kibana 1) Login kibana as an github idp user 2) Log out kibana 3) Login kibana in a new Tab Result: Redirected to the Kibana console. Users need to select the OAuth type and auto-login. Case 3: Only logout Kibana 1) Login Kibana as LDAP user 2) Login console as LDAP user 3) Logout Kibana Result: Console wasn't logout. 4) Logout console Result: Kibana wasn't logout.
*** Bug 1847949 has been marked as a duplicate of this bug. ***
(In reply to Anping Li from comment #37) > As kubeadmin is a very special user, file a new bug to trace comment 35. > https://bugzilla.redhat.com/show_bug.cgi?id=1847949 From logging perspective, kubeadmin is no different then any other user; logging only relies on bearer tokens provided by making calls to the api server and the oauth workflow. There is nothing logging can do to change how the token is acquired, expired or invalidated. If this is truly an issue with token expiration and not being asked for credentials again I would suggest opening an issue with the auth team to address though I think https://bugzilla.redhat.com/show_bug.cgi?id=1823305#c34 sums it up correctly and its working as expected.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:2580
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 500 days