Closed bysnupy closed 5 years ago
.operations index can be referred by just only cluster-admin role, is it expected result ?
Yes, or cluster-reader
Thank you for your swift response @richm,
But cluster-reader
has not view
verb of pods/log
permission, and it did not work for me to access .operations
index using kibana
dashboard.
The evidence of test based on CLI is as follows.
master1 ~# oc adm policy add-cluster-role-to-user cluster-reader testuser
cluster role "cluster-reader" added: "testuser"
master1 ~# oc login -u testuser -p password
Login successful.
You have access to the following projects and can switch between them with 'oc project <projectname>':
default
...
openshift
openshift-console
openshift-infra
* openshift-logging
openshift-metrics-server
openshift-monitoring
openshift-node
openshift-sdn
openshift-web-console
Using project "openshift-logging".
master1 ~# oc auth can-i view pod/logs -n default
no - no RBAC policy matched
master1 ~# oc auth can-i watch pod/logs -n default
yes
I've verified the workaround that create the custom role included view
of pods/log
permission.
And I could access .operations
index from Kibana
dashboard after grant of the custom role.
My test evidence is as follows.
# oc get clusterrole custom_view -o yaml
apiVersion: authorization.openshift.io/v1
kind: ClusterRole
metadata:
annotations:
openshift.io/description: A user who can view but not edit any resources within
the project. They can not view secrets or membership.
openshift.io/reconcile-protect: "true"
creationTimestamp: 2019-01-24T13:53:09Z
labels:
kubernetes.io/bootstrapping: rbac-defaults
name: custom_view
selfLink: /apis/authorization.openshift.io/v1/clusterroles/custom_view
rules:
- apiGroups:
- ""
attributeRestrictions: null
resources:
- pods/log
verbs:
- view
# oc adm policy add-cluster-role-to-user cluster-reader testuser
# oc policy who-can view pods/log
Namespace: openshift-logging
Verb: view
Resource: pods/log
Users: admin
system:admin
system:serviceaccount:kube-system:clusterrole-aggregation-controller
Groups: system:cluster-admins
system:masters
# oc adm policy add-cluster-role-to-user custom_view testuser
# oc policy who-can view pods/log
Namespace: openshift-logging
Verb: view
Resource: pods/log
Users: admin
system:admin
system:serviceaccount:kube-system:clusterrole-aggregation-controller
testuser
Groups: system:cluster-admins
system:masters
I've verified the workaround that create the custom role included
view
ofpods/log
permission. And I could access.operations
index fromKibana
dashboard after grant of the custom role.
I'm not sure what your expectation is here as you have identified what you, as an administrator, needs to do in order to grant someone access to those logs. This plugin enables viewing the logs based on a set of permissions that a particular user has. This plugin is not responsible for creating those permissions or the Role required; that is your responsibility as an administrator. We can not make security decisions for your OKD cluster.
As long as you can satisfy the appropriate SAR, you will be able to view operations logs.
Thank you for your review @jcantrill ,
I've found the cluster-reader
can access to .operations
index from the following BZs, but it couldn't access the index(refer above my comments). view
verb was not included the bootstrapping builtin roles
definitions. So I'd like to check it here.
And I want to replace the view
verb with watch
verb if no reasons not to change it.
openshift_logging_es_ops_allow_cluster_reader doesn't work - comment#1
Remove the section Allowing cluster-reader to view operations logs
By default, the cluster-reader users are granted access in Elasticsearch and Kibana to view operations logs. we needn't to enable following "Allowing cluster-reader to view operations logs" can be removed.
the verb
array variable using builtin roles
is not included view
[https://github.com/openshift/origin/blob/master/pkg/cmd/server/bootstrappolicy/policy.go#L45]
read = []string{"get", "list", "watch"}
All container Image tags is v3.11.59.
allowed = apiService.localSubjectAccessReview(token, "default", "view", "pods/log","", ArrayUtils.EMPTY_STRING_ARRAY);
To determine if you are an operations user:
oc auth can-i view pod/logs -n default
yes
If you do not have appropriate access, contact your cluster administrator.
oc get clusterole -o yaml
...