Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1867687

Summary: Changed location of some audit logs in 4.6
Product: OpenShift Container Platform Reporter: Alan Conway <aconway>
Component: LoggingAssignee: Jeff Cantrill <jcantril>
Status: CLOSED ERRATA QA Contact: Anping Li <anli>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 4.6CC: aos-bugs
Target Milestone: ---   
Target Release: 4.6.0   
Hardware: All   
OS: All   
Whiteboard: logging-core
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-10-27 15:09:55 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Alan Conway 2020-08-10 14:20:11 UTC
Description of problem:

Location of some audit logs is changing in 4.6, logging needs to deal with the transition gracefully.  See the mail below from aos-devel list:
 
Stefan Schimanski <sttts>
	
Aug 4, 2020, 5:09 AM (6 days ago)
	
to aos-devel, Boleslaw
Hi,

since last week OpenShift master (4.6) has split apart oauth resources from openshift-apiserver into a new oauth-apiserver [2] component. All this is documented in the enhancement [5]. 

The change was done in order to allow the replacement of our oauth-server based (pretty minimally scoped) oauth implementation with other identity providers like Keycloak [1]. The integration of those is done via webhooks [3,4]. 

As soon as another identity provider is plugged in, oauth-apiserver gets disabled, i.e. its API groups are deactivated. These API groups are affected:

  oauth.openshift.io/v1
  user.openshift.io/v1

Note that from a user point of view these APIs behave exactly the same as before the introduction of oauth-apiserver.

The new oauth-apiserver is deployed technically in the same way as openshift-apiserver, sharing most of the deployment code. The responsible operator is cluster-authentication-operator (the one that also deploys oauth-server).

The architectural change will have consequences for other teams who depend on openshift-apiserver in ways other than just using the provided oauth and user API groups.

E.g. audit logs for those API groups go to /var/log/oauth-apiserver, not /var/log/openshift-apiserver anymore. If you integrate with those audit files, make sure oauth-apiserver's logs are also considered.

Best regards,
   Stefan

[1] https://github.com/keycloak/keycloak
[2] https://github.com/openshift/oauth-apiserver/
[3] https://github.com/openshift/api/blob/master/config/v1/types_authentication.go#L54
[4] https://github.com/openshift/enhancements/blob/master/enhancements/authentication/configuring-webhook-token-authenticators.md
[5] https://github.com/openshift/enhancements/blob/master/enhancements/authentication/separate-oauth-resources.md

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 3 Anping Li 2020-08-27 08:41:55 UTC
Verified on clusterlogging.4.6.0-202008262209.p0

#cat fluent.conf  |grep 'type tail' -A 3
  @type tail
  @id container-input
  path "/var/log/containers/*.log"
  exclude_path ["/var/log/containers/fluentd-*_openshift-logging_*.log", "/var/log/containers/elasticsearch-*_openshift-logging_*.log", "/var/log/containers/kibana-*_openshift-logging_*.log"]
--
  @type tail
  @id audit-input
  @label @INGRESS
  path "#{ENV['AUDIT_FILE'] || '/var/log/audit/audit.log'}"
--
  @type tail
  @id k8s-audit-input
  @label @INGRESS
  path "#{ENV['K8S_AUDIT_FILE'] || '/var/log/kube-apiserver/audit.log'}"
--
  @type tail
  @id openshift-audit-input
  @label @INGRESS
  path /var/log/oauth-apiserver/audit.log,/var/log/openshift-apiserver/audit.log

Comment 5 errata-xmlrpc 2020-10-27 15:09:55 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.6.1 extras update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4198