Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Done
Priority: Major
Fix Version/s: Logging 5.0.7, Logging 5.1.1, Logging 5.2
Affects Version/s: Logging 5.0.6
Component/s: Log Storage
Labels:
- devel_ack+
- rn-done-resolved

Blocked:
False
Ready:
False
Docs QE Status:
NEW
QE Status:
VERIFIED
Release Note Text:
Before this update, an issue with the `ServiceAccount` permissions caused errors like `no permissions for [indices:admin/aliases/get]`. With this update, a permission fix resolves the issue.

SFDC Cases Links:
SFDC Cases Counter:

Description

###[Description of problem]

Index management cronjobs are failing with error:

~~~
2021-06-24T09:15:08.090393695Z Error while attemping to determine the active write alias: {'error': {'root_cause': [

{'type': 'security_exception', 'reason': 'no permissions for [indices:admin/aliases/get] and User [name=system:serviceaccount:openshift-logging:elasticsearch, roles=[admin_reader], requestedTenant=null]'}

], 'type': 'security_exception', 'reason': 'no permissions for [indices:admin/aliases/get] and User [name=system:serviceaccount:openshift-logging:elasticsearch, roles=[admin_reader], requestedTenant=null]'}, 'status': 403}
~~~

It was reviewed that the SA elasticsearch used to run the cronjobs has not assigned extra clusterroles or roles.Version-Release number of selected component (if applicable):
OCP 4.7
Logging 5.0.6.40

###Actual results:
Index management cronjobs are failing each execution and not able to manage the deletion/rollover of the indices

###Expected results:
Index management cronjobs are able to manage the deletion/rollover of the indices

NOTE:

the indices must be deleted by hand to don't get the storage full continually. Could we have any workaround on this meanwhile bug is fixed?
Not clusterrole or role was added to the SA elasticsearch that runs the cronjobs