Bug 1964532 - Non cluster admins lose access to Kibana indexes and are forced to recreate them but it fails
Summary: Non cluster admins lose access to Kibana indexes and are forced to recreate t...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Logging
Version: 4.6.z
Hardware: Unspecified
OS: Unspecified
unspecified
low
Target Milestone: ---
: 4.6.z
Assignee: Jeff Cantrill
QA Contact: Kabir Bharti
URL:
Whiteboard: logging-exploration
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-05-25 16:20 UTC by Courtney Ruhm
Modified: 2022-10-20 05:12 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-11-03 20:54:12 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2021:4010 0 None None None 2021-11-03 20:54:14 UTC

Description Courtney Ruhm 2021-05-25 16:20:00 UTC 
Description of problem:

Non cluster admins lose access to Kibana indexes and are forced to recreate them despite previous bugzilla identified in 4.5 for this issue being fixed with https://access.redhat.com/errata/RHBA-2021:1489 


Version-Release number of selected component (if applicable):

4.6.28 

How reproducible:

N/A

Steps to Reproduce:

Hit previous bug found in https://access.redhat.com/solutions/5885501 then upgrade to 4.6.28 and delete and recreate the users kibana index seems to solve the issue but after a couple of days the user permissions seem to revert back

Actual results:

Users permissions after being fixed eventually revert back to

2021-05-25T11:02:03,047][INFO ][c.a.o.s.p.PrivilegesEvaluator] [elasticsearch-cdm-xxxxxxx-3] No index-level perm match for User [name=xxxxxx.xxx, roles=[project_user], requestedTenant=__user__] Resolved [aliases=[*], indices=[*], allIndices=[*], types=[*], originalRequested=[], remoteIndices=[]] [Action [indices:admin/mappings/get]] [RolesChecked [project_user]]
[2021-05-25T11:02:03,047][INFO ][c.a.o.s.p.PrivilegesEvaluator] [elasticsearch-cdm-8opci2yc-3] No permissions for [indices:admin/mappings/get]

Expected results:

User permissions should not revert and users should still be able to access there kibana indexes 

Additional info:

Customer reportedly upgrade on May 21st and then deleted and recreated the users kibana index. They reported that it stopped working again on may 25th. So about 4 days.
Comment 4 IgorKarpukhin 2021-10-21 12:52:02 UTC 
Solved with https://github.com/openshift/origin-aggregated-logging/pull/2165
Comment 5 Kabir Bharti 2021-10-25 20:50:23 UTC 
Verified on below CSV
NAME                                        DISPLAY                            VERSION              REPLACES   PHASE
clusterlogging.4.6.0-202110190717           Cluster Logging                    4.6.0-202110190717              Succeeded
elasticsearch-operator.4.6.0-202110212031   OpenShift Elasticsearch Operator   4.6.0-202110212031              Succeeded

non-cluster admin user is able to create index pattern in kibana and index pattern is not deleted. Manual deletion of the index pattern by the user and recreating it is also working fine.

Marking Bug as QE verified.
Comment 8 errata-xmlrpc 2021-11-03 20:54:12 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.6.49 extras update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:4010
Note You need to log in before you can comment on or make changes to this bug.