paul-mulvihill
commented
5 years ago Anyone seen this or able to point me in the right direction?
Open paul-mulvihill opened 5 years ago
paul-mulvihill
commented
5 years ago Anyone seen this or able to point me in the right direction?
wpt1313
commented
3 years ago The root cause of the issue is in routes.js — whenever a user is not a member of the system org, the original request to Elasticsearch that is generated by Kibana is modified by injecting two bool filters for @cf.space_id and @cf.org_id fields (so that a UAA user is not able to display anything not coming from their orgs/spaces):
https://github.com/cloudfoundry-community/logsearch-for-cloudfoundry/blob/06dcccb8ca13d73fc021347c6de5d12a83c7db48/src/kibana-cf_authentication/server/routes.js#L144-L152
https://github.com/cloudfoundry-community/logsearch-for-cloudfoundry/blob/06dcccb8ca13d73fc021347c6de5d12a83c7db48/src/kibana-cf_authentication/server/helpers.js#L25-L28
This works well for regular searches, but fails for this specific case, since for View single document link Kibana generates a query with ids filter — and that filter cannot be used together with bool filter, so Elasticsearch returns an error.
UAA users are able to see logs for the orgs they are associated with. However when they select the "View Surrounding Documents" they receive the following error
If the user is part of the system org (global admin) they are able to see all logs without any problems. current version of logsearch 209.0.1 If they select "View single document" they receive a similar error with an Unknown Id error.
Users are setup as a mixture of Org Admins and Org Auditors. I've also tried this with user set as a Space Developer. adding this makes no impact to the outcome
Are there additional levels of security or configuration required to enable this?