Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.

Bug 1512495

Summary: [3.6.1]some indices name miss in kibana
Product: OpenShift Container Platform Reporter: Anping Li <anli>
Component: LoggingAssignee: Rich Megginson <rmeggins>
Status: CLOSED CURRENTRELEASE QA Contact: Anping Li <anli>
Severity: high Docs Contact:
Priority: unspecified    
Version: 3.6.1CC: aos-bugs, bleanhar, jcantril, juzhao, pweil, rmeggins, stwalter, wsun
Target Milestone: ---Keywords: Regression
Target Release: 3.6.z   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: The multi tenancy plugin in Elasticsearch was inadvertently changed, while fixing another bug, not to look up projects for the user upon every login. Consequence: The list of projects was not displayed properly. Fix: The multi tenancy plugin in Elasticsearch was changed back to look up projects for the user upon every login Result: The list of projects is displayed properly.
Story Points: ---
Clone Of: 1511432 Environment:
Last Closed: 2018-06-01 17:32:04 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1511432, 1530866    
Bug Blocks:    
Attachments:
Description Flags
project indices could be found on kibana UI. none

Comment 2 Rich Megginson 2017-11-13 19:48:50 UTC
see https://bugzilla.redhat.com/attachment.cgi?id=1351670&action=edit

I've removed the TestBlocker flag as I am not aware of any functionality which is prevented by this issue.

It might also not be a Regression, depending on if this new behavior is intentional.

Comment 3 Anping Li 2017-11-17 05:48:39 UTC
@Rich, it is not a test block. We can continue following https://bugzilla.redhat.com/show_bug.cgi?id=1511432#c15.
   It should be a regression bug expect for we don't suggest logging in in using kibana route.

Comment 4 Anping Li 2017-11-17 07:50:02 UTC
The issue exists in logging-elasticsearch:v3.6.173.0.63, logging-kibana:      v3.6.173.0.63,logging-fluentd:v3.6.173.0.63

Comment 5 Junqi Zhao 2017-11-20 09:22:52 UTC
user can see the project indices by using workaround
https://bugzilla.redhat.com/show_bug.cgi?id=1511432#c15

But if there are a lot of projects, it will make customers disappointed if we let customers do the workaround manually

Comment 6 Junqi Zhao 2017-11-22 09:21:26 UTC
Tested with v3.6.173.0.78-1 logging images, these images contain the fix of https://bugzilla.redhat.com/show_bug.cgi?id=1510118
(MBARGOED CVE-2017-12195 security: OpenShift Enterprise 3: authentication bypass for elasticsearch with external routes [openshift-enterprise-3.6])

project indices could be found in kibana UI, see the attached file

Comment 7 Junqi Zhao 2017-11-22 09:29:10 UTC
Created attachment 1357322 [details]
project indices could be found on kibana UI.

Comment 8 Steven Walter 2018-01-22 21:51:54 UTC
What permissions are required for the workaround in #c15 of parent bug: https://bugzilla.redhat.com/show_bug.cgi?id=1511432 ? I created 2 users, "biguser" and "littleuser". I gave "admin" role to "biguser" and "view" role to "littleuser" and neither were able to configure the pattern "project.*". I had assumed they would be able to see the pattern but only projects they have access to would work.

Giving cluster-admin to biguser allows it to see project.*, of course. Is there another workaround for non-cluster-admin users?

For context, customer was trying to use project.* to workaround another issue where when trying to look at individual project index they get messages like:

As a cluster-admin:
Discover: "project.example.4e03e3cb-f0c2-11e7-9a3d-001a4aa86606.*" is not a configured pattern. Using the default index pattern: ".all"
I do still see log data.

An unprivileged user sees this:
Discover: "project.example.4e03e3cb-f0c2-11e7-9a3d-001a4aa86606.*" is not a configured pattern. Using the default index pattern: "project.empty-project.*"
They do not see any log data.


I put this here instead of parent bug because it is 3.6

Comment 9 Anping Li 2018-01-23 02:07:37 UTC
The issue wasn't in 3.6.173.0.96 which will be release soon.

Comment 10 Jeff Cantrill 2018-04-11 14:45:32 UTC
Moving this to 'ON_QA' based on c#9