Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1874239

Summary: ClusterLogging disallows kubeadmin to see infra* logs
Product: OpenShift Container Platform Reporter: Jeff Cantrill <jcantril>
Component: LoggingAssignee: Jeff Cantrill <jcantril>
Status: CLOSED ERRATA QA Contact: Anping Li <anli>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 4.5CC: andcosta, aos-bugs, gkarager, jmalde, jparks, ocasalsa, rdey, rh-container, ychoukse
Target Milestone: ---   
Target Release: 4.5.z   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: Groups were missing from SAR checkes Consequence: User's in a group who had a given permission was not being honored by OpenShift logging Fix: Add a user's group to the SAR when checking roles Result: User's in a group (e.g. cluster-admin) who have a set of permissions are properly evaluated to have the group permissions.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-10-12 15:43:46 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1872109    
Bug Blocks:    

Description Jeff Cantrill 2020-08-31 18:43:30 UTC 
This bug was initially created as a copy of Bug #1872109

I am copying this bug because: 



1. Bug Overview:
a) Description of bug report: 

  [RHOCP4.5] ClusterLogging disallows kubeadmin to see infra* logs

b) Bug Description: 

  kubeadmin is a cluster administrator user as our understanding.
  However, ClusterLogging v4.5 disallows kubeadmin to see logs recorded in infra* indices.

  Version info:

    $ oc get clusterversion
    NAME      VERSION   AVAILABLE   PROGRESSING   SINCE   STATUS
    version   4.5.4     True        False         21d     Cluster version is 4.5.4
    
    $ oc get csv
    NAME                                           DISPLAY                  VERSION                 REPLACES                                       PHASE
    clusterlogging.4.5.0-202008100413.p0           Cluster Logging          4.5.0-202008100413.p0   clusterlogging.4.5.0-202007240519.p0           Succeeded
    elasticsearch-operator.4.5.0-202008100413.p0   Elasticsearch Operator   4.5.0-202008100413.p0   elasticsearch-operator.4.5.0-202007240519.p0   Succeeded

2. Bug Details:

a) Architectures: 64-bit Intel EM64T/AMD64
  x86_64

b) Bugzilla Dependencies:

c) Drivers or hardware dependencies:

d) Upstream acceptance information: 

e) External links:

f) Severity (H,M,L):
  M

g) How reproducible: 
  Always

h) Steps to Reproduce: 

  Login Kibana Web-UI with kubeadmin user, then see logs

i) Actual results: 

  Only logs recorded in app* indices can be seen with kubeadmin user.

j) Expected results: 

  kubeadmin user can see even logs recorded in infra* indices.
Comment 1 Jeff Cantrill 2020-09-12 01:52:49 UTC 
Moving to UpcomingSprint awaiting for PRs to merge, etc.
Comment 4 Giriyamma 2020-10-08 12:33:29 UTC 
Verified on the 4.5.0-0.nightly-2020-10-07-231808, kubeadmin user can see the infra indices in kibana.
Comment 6 errata-xmlrpc 2020-10-12 15:43:46 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.5.14 extras update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:3845