Non-Admin Users unable to view logs on Kibana

[ghost]

We have deployed the latest 5.6.3 ELK stack on Ubuntu VM

In order to allow CF users to authenticate we have added a Kibana Client(with the required scopes) in the CF UAA and installed the latest kibana-auth-plugin(v5.6.3) provided in the src/ of this bosh release.

When logged in as admin or when a user is an Org Manager of the configured system org, users are able to view all the App and Platform logs. However when a non-admin or a non-system-org user logs in to Kibana, the user is unable to view any logs and is shown "No results found" message on Kibana.

So can a non-admin user be able to view logs in Kibana? Does the plugin support such functionality?

[Infra-Red]

@lordcf You can skip scopes verification using kibana-auth.skip_authorization property, please refer to:

https://github.com/cloudfoundry-community/logsearch-for-cloudfoundry/blob/develop/jobs/kibana-auth-plugin/spec#L46-L48

-- Regards, Andrei

On Nov 2, 2017, 17:25 +0300, lordcf notifications@github.com, wrote:

We have deployed the latest 5.6.3 ELK stack on Ubuntu VM In order to allow CF users to authenticate we have added a Kibana Client(with the required scopes) in the CF UAA and installed the latest kibana-auth-plugin(v5.6.3) provided in the src/ of this bosh release. When logged in as admin or when a user is an Org Manager of the configured system org, users are able to view all the App and Platform logs. However when a non-admin or a non-system-org user logs in to Kibana, the user is unable to view any logs and is shown "No results found" message on Kibana. So can a non-admin user be able to view logs in Kibana? Does the plugin support such functionality? — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.

[ishwarps]

@Infra-Red. We question. The admin user is able to view the apps logs of all orgs/spaces. But the new user created with orgManager and SpaceDevloper role. He is not able to see the logs apps of his org/space. does this plugins support?

[Infra-Red]

@ishwar1987 With properly configured plugin non-admin users will see logs from Orgs/Spaces to which they have access in CF deployment.

-- Regards, Andrei

On Nov 2, 2017, 17:47 +0300, ishwar1987 notifications@github.com, wrote:

@Infra-Red. We question. The admin user is able to view the apps logs of all orgs/spaces. But the new user created with orgManager and SpaceDevloper role. He is not able to see the logs apps of his org/space. does this plugins support? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

[ishwarps]

@Infra-Red . Thanks for response. I have configure the following properties in index.js.

var useHttps = false; var client_id = 'KIBANA_OAUTH2_CLIENT_ID' var client_secret='KIBANA_OAUTH2_CLIENT_SECRET'; var skip_ssl_validation = true; var cf_system_org = 'system'; var cloudFoundryApiUri = 'https://text.com' var logout_redirect_uri = 'xx.xxx.xxx.xxxx:xxxx' var use_redis_sessions = false; var redis_host = '127.0.0.1'; var redis_port = '6379'; var cfInfoUri = cloudFoundryApiUri + '/v2/info'; var sessionExpirationMs = (process.env.SESSION_EXPIRATION_MS) ? process.env.SESSION_EXPIRATION_MS : 12 60 60 * 1000; // 12 hours by default
var random_string = process.env.SESSION_KEY || randomstring.generate(40); var skip_authorization = true;

After this too. The non-admin users will not able to see the logs. so do i miss any properties here. if you provides some troubleshooting steps thats good for me.

[ishwarps]

After more analysis. I have printed the options.payload (_filtered_msearch of index.js) for non admin user.

console.log('optiosn payload--->',JSON.stringify(options.payload.toString('utf-8')));

its giving an following output.

{"index":["logs-app-test-org-test-space-2017.11.02"],"ignore_unavailable":true,"preference":1509735801854}n{"version":true,"size":500,"sort":[{"@timestamp":{"order":"desc","unmapped_type":"boolean"}}],"query":{"bool":{"must":[{"match_all":{}},{"range":{"@timestamp":{"gte":1509561000000,"lte":1509647399999,"format":"epoch_millis"}}},{"terms":{"@cf.space_id":["79ff2521-4014-4356-b03b-cd56d34549da","6a838cb6-ed3e-4eb0-ac90-4f30b377a5ba"]}},{"terms":{"@cf.org_id":["7de152ba-f70e-4511-bc66-d997faaea49f","7f5770a4-131b-4e73-b5c9-445791667d35"]}}],"must_not":[]}},"_source":{"excludes":[]},"aggs":{"2":{"date_histogram":{"field":"@timestamp","interval":"30m","time_zone":"Asia/Kolkata","min_doc_count":1}}},"stored_fields":[""],"script_fields":{},"docvalue_fields":["@timestamp"],"highlight":{"pre_tags":["@kibana-highlighted-field@"],"post_tags":["@/kibana-highlighted-field@"],"fields":{"":{"highlight_query":{"bool":{"must":[{"match_all":{}},{"range":{"@timestamp":{"gte":1509561000000,"lte":1509647399999,"format":"epoch_millis"}}}],"must_not":[]}}}},"fragment_size":2147483647}}"

does any things missing here?

[ishwarps]

HI, The kibana index page is not displaying the @cf.space_id and @cf.org_id field properties with aggregatable. is this to be reason that query terms is not working?

[axelaris]

Hi @ishwarps could you please check if the issue is still actual in the latest release? Thanks.