search

fabric8io / openshift-elasticsearch-plugin

Apache License 2.0
27 stars 21 forks source link

We should create custom role in order to allow read only permission .operations index to users. #168

Closed bysnupy closed 5 years ago

bysnupy commented 5 years ago

All container Image tags is v3.11.59.


* Description:
  `.operations` index can be referred by just only `cluster-admin` role, is it expected result ?

  In order to access from other user to `.operations` index, we should create custom role.
  It would be hurdle to allow read only access to user for operation role account in real world.
  I think it had better to replace the `view` verb with `watch` verb, because  builtin `view` role can be used simply when we need to allow read only access the index.

  For allowing show `.operations` index to user, `view` of `pods/log` permission is required on the `default` project at the moment. But `view` of `pods/log` permission are not granted to builtin `roles` except `cluster-admin`(this role is just wildcard to permission definition so it can be `OK`). So it need to customize role to add `view` verb in order to refer the `.operations` index.
I think had better to replace `view` verb with `watch` verb or update the builtin roles definition.

I've checked the logic and documentation for allowing Operation User condition as follows.

 - [Source codes](https://github.com/fabric8io/openshift-elasticsearch-plugin/blob/master/src/main/java/io/fabric8/elasticsearch/util/RequestUtils.java#L124)

allowed = apiService.localSubjectAccessReview(token, "default", "view", "pods/log","", ArrayUtils.EMPTY_STRING_ARRAY);

- [Documentation](https://docs.openshift.com/container-platform/3.11/install_config/aggregate_logging.html#aggregate-logging-ansible-variables)

To determine if you are an operations user:

oc auth can-i view pod/logs -n default

yes

If you do not have appropriate access, contact your cluster administrator.


- verb `view` can see only jenkins resources from `oc get clusterrole -o yaml` output.

oc get clusterole -o yaml

...

richm commented 5 years ago

.operations index can be referred by just only cluster-admin role, is it expected result ?

Yes, or cluster-reader

bysnupy commented 5 years ago

Thank you for your swift response @richm, But cluster-reader has not view verb of pods/log permission, and it did not work for me to access .operations index using kibana dashboard.

The evidence of test based on CLI is as follows.

master1 ~# oc adm policy add-cluster-role-to-user cluster-reader testuser
cluster role "cluster-reader" added: "testuser"

master1 ~# oc login -u testuser -p password
Login successful.

You have access to the following projects and can switch between them with 'oc project <projectname>':

    default
    ...
    openshift
    openshift-console
    openshift-infra
  * openshift-logging
    openshift-metrics-server
    openshift-monitoring
    openshift-node
    openshift-sdn
    openshift-web-console

Using project "openshift-logging".

master1 ~# oc auth can-i view pod/logs -n default
no - no RBAC policy matched

master1 ~# oc auth can-i watch pod/logs -n default
yes
bysnupy commented 5 years ago

I've verified the workaround that create the custom role included view of pods/log permission. And I could access .operations index from Kibana dashboard after grant of the custom role.

My test evidence is as follows.

# oc get clusterrole custom_view -o yaml
apiVersion: authorization.openshift.io/v1
kind: ClusterRole
metadata:
  annotations:
    openshift.io/description: A user who can view but not edit any resources within
      the project. They can not view secrets or membership.
    openshift.io/reconcile-protect: "true"
  creationTimestamp: 2019-01-24T13:53:09Z
  labels:
    kubernetes.io/bootstrapping: rbac-defaults
  name: custom_view
  selfLink: /apis/authorization.openshift.io/v1/clusterroles/custom_view
rules:
- apiGroups:
  - ""
  attributeRestrictions: null
  resources:
  - pods/log
  verbs:
  - view

# oc adm policy add-cluster-role-to-user cluster-reader testuser

# oc policy who-can view pods/log
Namespace: openshift-logging
Verb:      view
Resource:  pods/log

Users:  admin
        system:admin
        system:serviceaccount:kube-system:clusterrole-aggregation-controller

Groups: system:cluster-admins
        system:masters

# oc adm policy add-cluster-role-to-user custom_view testuser

# oc policy who-can view pods/log
Namespace: openshift-logging
Verb:      view
Resource:  pods/log

Users:  admin
        system:admin
        system:serviceaccount:kube-system:clusterrole-aggregation-controller
        testuser

Groups: system:cluster-admins
        system:masters
jcantrill commented 5 years ago

I've verified the workaround that create the custom role included view of pods/log permission. And I could access .operations index from Kibana dashboard after grant of the custom role.

I'm not sure what your expectation is here as you have identified what you, as an administrator, needs to do in order to grant someone access to those logs. This plugin enables viewing the logs based on a set of permissions that a particular user has. This plugin is not responsible for creating those permissions or the Role required; that is your responsibility as an administrator. We can not make security decisions for your OKD cluster.

As long as you can satisfy the appropriate SAR, you will be able to view operations logs.

bysnupy commented 5 years ago

Thank you for your review @jcantrill ,

I've found the cluster-reader can access to .operations index from the following BZs, but it couldn't access the index(refer above my comments). view verb was not included the bootstrapping builtin roles definitions. So I'd like to check it here. And I want to replace the view verb with watch verb if no reasons not to change it.