Bug 1895581 - Unable to create 'app' index pattern in OpenShift Logging 4.5 when permissions are granted via group
Summary: Unable to create 'app' index pattern in OpenShift Logging 4.5 when permission...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Logging
Version: 4.5
Hardware: x86_64
OS: Linux
high
high
Target Milestone: ---
: 4.7.0
Assignee: Lukas Vlcek
QA Contact: Anping Li
URL:
Whiteboard: logging-exploration
: 1897595 (view as bug list)
Depends On:
Blocks: 1913801
TreeView+ depends on / blocked
 
Reported: 2020-11-07 09:44 UTC by Simon Reber
Modified: 2024-06-13 23:22 UTC (History)
16 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-02-24 11:22:27 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
JSON file to manually create the index pattern (24.31 KB, text/plain)
2020-12-09 10:38 UTC, Simon Reber 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Github openshift elasticsearch-proxy pull 68 0 None closed Bug 1895581: Quote individual project names in proxy header 2021-02-18 15:28:11 UTC
Github openshift origin-aggregated-logging pull 2032 0 None closed Bug 1895581: Replace DLS rule script with more performant terms filter 2021-02-18 15:28:11 UTC
Red Hat Knowledge Base (Solution) 5787181 0 None None None 2021-02-09 05:45:42 UTC
Red Hat Product Errata RHBA-2021:0652 0 None None None 2021-02-24 11:23:08 UTC

Description Simon Reber 2020-11-07 09:44:43 UTC 
Description of problem:
After updating OpenShift Logging to version 4.5 the customer is unable to create 'app' index pattern if permissions on the project are granted via group. In case it's granted via RoleBinding for the user directly it works as expected.

The following does document the user experience.

----------
Definitions before Testing
----------
$ oc -n xyz123-dev-ACME-de get rolebindings
NAME                                        ROLE                               AGE
admin                                       ClusterRole/admin                  33d
edit                                        ClusterRole/edit                   33d
hans.muster   ClusterRole/edit                   30d
system:deployers                            ClusterRole/system:deployer        33d
system:image-builders                       ClusterRole/system:image-builder   33d
system:image-pullers                        ClusterRole/system:image-puller    33d
view                                        ClusterRole/view                   33d
----------
$ oc -n xyz123-dev-ACME-de get rolebindings admin -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  creationTimestamp: "2020-10-02T05:02:05Z"
  name: admin
  namespace: xyz123-dev-ACME-de
  resourceVersion: "336018672"
  selfLink: /apis/rbac.authorization.k8s.io/v1/namespaces/xyz123-dev-ACME-de/rolebindings/admin
  uid: 9ca3bd64-787f-435d-a4a4-4976106a4aa4
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: admin
subjects:
- kind: ServiceAccount
  name: abc456
  namespace: abc123-OCP-cc
- kind: ServiceAccount
  name: mad
  namespace: accounts-prod-ACME-de
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: administrator__it-life_dev__ACME country kjhg
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: kag_xyz_non_prod__ACME country kjhg
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: subscription-owner__it-life_dev__ACME country kjhg
----------
$ oc get group "kag_xyz_non_prod__ACME country kjhg" -o yaml
apiVersion: user.openshift.io/v1
kind: Group
metadata:
  creationTimestamp: "2020-06-10T11:36:16Z"
  labels:
    sub-reg/id: 160a235479c3488699661dfe6db6fa98
  name: kag_xyz_non_prod__ACME country kjhg
  resourceVersion: "149240770"
  selfLink: /apis/user.openshift.io/v1/groups/kag_xyz_non_prod__ACME+country+kjhg
  uid: 95c8f81a-0c25-4279-8be3-dd13316a5e05
users:
- john.done
- foo.bar
- hans.muster
--------------------
Test Steps
----------
Step-1
Using MY Kibana I've successfully verified, that my Kibana displays the logs of both running pods 'xyz123-dev-ACME-abc-7b9fcd8c5-xhwp8' and 'xyz123-dev-ACME-qwe-5cb84b575d-nw525'.
----------
Step-2
In the OpenShift console the user navigated to the tab 'Logs' of the view 'Pod details' of the pod 'xyz123-dev-ACME-abc-7b9fcd8c5-xhwp8'.
The logs stream (lasst 1000 lines) was displayed
----------
Step-3
The user clicked on "Show in Kibana".
Kibana opened (in a new browser tab), landed on the page "Management > Create index pattern" and searched for matching indices WITHOUT success. It stopped after ~30 seconds with no results.
----------
Step-4
The user closed the Kibana browser tab.
----------
Step-5
I've executed on OpenShift CLI..$ oc -n xyz123-dev-ACME-de adm policy add-role-to-user admin user.example
$ oc -n xyz123-dev-ACME-de get rolebindings
NAME                                        ROLE                               AGE
admin                                       ClusterRole/admin                  33d
admin-0                                     ClusterRole/admin                  50m
edit                                        ClusterRole/edit                   33d
hans.muster   ClusterRole/edit                   30d
system:deployers                            ClusterRole/system:deployer        33d
system:image-builders                       ClusterRole/system:image-builder   33d
system:image-pullers                        ClusterRole/system:image-puller    33d
view                                        ClusterRole/view                   33d
$ oc -n xyz123-dev-ACME-de get rolebindings admin-0 -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  creationTimestamp: "2020-11-04T14:38:40Z"
  managedFields:
  - apiVersion: rbac.authorization.k8s.io/v1
    fieldsType: FieldsV1
    fieldsV1:
      f:roleRef:
        f:apiGroup: {}
        f:kind: {}
        f:name: {}
      f:subjects: {}
    manager: oc
    operation: Update
    time: "2020-11-04T14:38:40Z"
  name: admin-0
  namespace: xyz123-dev-ACME-de
  resourceVersion: "409567147"
  selfLink: /apis/rbac.authorization.k8s.io/v1/namespaces/xyz123-dev-ACME-de/rolebindings/admin-0
  uid: 36e0645e-2773-4229-984a-78897cf21be1
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: admin
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: user.example
----------
Step-6
The user clicked again on "Show in Kibana".
Kibana opened (in a new browser tab), landed on the page "Management > Create index pattern" and successfully searched for matching indices.
The user could create an index pattern 'app-*'.
Kibana afterwards displayed the logs of the pod 'xyz123-dev-ACME-abc-7b9fcd8c5-xhwp8'.
----------
Step-7
The user repeated the appropriate steps accordingly for the second pod 'xyz123-dev-ACME-qwe-5cb84b575d-nw525'. Kibana also displayed the logs of the second pod.

Version-Release number of selected component (if applicable):

 - Elasticsearch 4.5.0-202010222033.p0
 - Cluster Logging 4.5.0-202010221357.p0

How reproducible:

 - Always


Steps to Reproduce:
1. Grant access to projects via Group to users
2. Check if 'app' index pattern can be created in Kibana with those users

Actual results:

Kibana is reporting that it's unable to find `elasticsearch` data with "Couldn't find any Elasticsearch data"

Expected results:

User should be able to create the 'app' index pattern in Kibana upon first logging and when the application is already running and sending logs

Additional info:

As highlighted above, if the user is granted permissions without group (directly with the user) it works as expected.
Comment 7 ewolinet 2020-11-17 20:49:02 UTC 
dropping severity since "Urgent" implies loss of data or inability to use the product at all.
There is a known work around currently, which is to use RBAC to give user direct access (rather than via a group)
Comment 10 ewolinet 2020-11-17 22:30:19 UTC 
I had just tried to recreate this locally (using a 4.5 cluster) and am unable to.

1) Create a user (I used htpasswd)
2) Log in to Kibana with user, observe unable to create app* or infra* index patterns
3) Create a group and add the user to that group
4) Create rolebinding for group to clusterrole admin
5) Refresh Kibana screen for user, observe ability to create app* and infra* index patterns
Comment 17 ewolinet 2020-11-20 16:59:26 UTC 
*** Bug 1897595 has been marked as a duplicate of this bug. ***
Comment 32 Simon Reber 2020-12-09 10:38:53 UTC 
Created attachment 1737872 [details]
JSON file to manually create the index pattern
Comment 45 Anping Li 2021-01-20 17:45:50 UTC 
Intresting. It works well in elasticsearch-operator.4.6.0-202011221454.p0 which doesn't include the fix.  Will try to use 4.5 to reproduce again.
Comment 46 Anping Li 2021-01-25 07:51:10 UTC 
No regression issue was found when verified on cluster-logging.5.0.0-15&elasticsearch-operator.5.0.0-18.  During testing, we found if there are too many indices on the elasticsearch cluster, it is possible to hit this kibana issue. After reduce the index number and enlarge the pod resoruces, the pattern can be created.
Comment 51 Anping Li 2021-01-27 18:32:18 UTC 
Verified clusterserviceversion.operators.coreos.com/cluster-logging.5.0.0-29,clusterserviceversion.operators.coreos.com/elasticsearch-operator.5.0.0-32
The group user can create pattern now.  Compared with 4.5, the kibana reponse faster than before.  It took me 5+ minutes to open the kibana console. Now, it takes less than a minute.
Comment 54 errata-xmlrpc 2021-02-24 11:22:27 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Errata Advisory for Openshift Logging 5.0.0), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:0652
Note You need to log in before you can comment on or make changes to this bug.