Uploaded image for project: 'OpenShift Logging'
  1. OpenShift Logging
  2. LOG-2456

unexpected result when query audit and infra logs from LokiStack with different roles

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Not a Bug
    • Icon: Undefined Undefined
    • Logging 5.5.0
    • Logging 5.4.0
    • Log Storage
    • None
    • Logging (LogExp) - Sprint 217

      Description of problem:
      The cluster admin can not see the journal logs and audit logs. But the common user with get rule can see them before it own private project.

      The common user should not see infra and audit logs.

      Version-Release number of selected component (if applicable):

      cluster-logging.5.4.0-123

      loki-operator.5.4.0-26

       

      How reproducible:

      Always

      Steps to Reproduce:

      1. Create Lokistack
      2. Create rolebindings

      cat <<EOF |oc create -f -
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: ${lokistack_name}-tenant-all-create
rules:
- apiGroups:
  - 'loki.grafana.com'
  resources:
  - application
  - infrastructure
  - audit
  resourceNames:
  - logs
  verbs:
  - 'create'

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: ${lokistack_name}-tenant-all-get
rules:
- apiGroups:
  - 'loki.grafana.com'
  resources:
  - application
  - infrastructure
  - audit
  resourceNames:
  - logs
  verbs:
  - 'get'

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: ${lokistack_name}-tenant-app-get
rules:
- apiGroups:
  - 'loki.grafana.com'
  resources:
  - application
  resourceNames:
  - logs
  verbs:
  - 'get'

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: ${lokistack_name}-tenant-binding-all-create
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: ${lokistack_name}-tenant-all-create
subjects:
- kind: ServiceAccount
  name: logcollector
  namespace: openshift-logging
  
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: ${lokistack_name}-tenant-binding-all-get
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: ${lokistack_name}-tenant-all-get
subjects:
- kind: User
  name: testuser-1
- kind: User
  name: testuser-2
EOF

      3) Forward logs to lokistack.

      cat <<EOF |oc create -f -
apiVersion: logging.openshift.io/v1
kind: ClusterLogForwarder
metadata:
  name: instance
  namespace: openshift-logging
spec:
  outputs:
   - name: loki-app
     type: loki
     url: http://${gataway_svc_name}/api/logs/v1/application
     secret:
       name: lokistack-gateway-bearer-token
   - name: loki-infra
     type: loki
     url: http://${gataway_svc_name}/api/logs/v1/infrastructure
     secret:
       name: lokistack-gateway-bearer-token
   - name: loki-audit
     type: loki
     url: http://${gataway_svc_name}/api/logs/v1/audit
     secret:
       name: lokistack-gateway-bearer-token
  pipelines:
  - name: infro-to-loki
    inputRefs:
    - infrastructure
    outputRefs:
    - loki-infra
  - name: app-to-loki
    inputRefs:
    - application
    outputRefs:
    - loki-app
  - name: audit-to-loki
    inputRefs:
    - audit
    outputRefs:
    - loki-audit
EOF

      4) Query Infra and audit logs using kubeadmin,testuser-1

      Actual result:
      kubeadmin can not view journald logs and audit logs.
      The common user testuser1 can get journald and audit logs before it own any project.

       

      Expected result:

      The kubadmin can see infra and audit logs

      The common user can not see infra and audit logs

       

       

       

       

              Unassigned Unassigned
              rhn-support-anli Anping Li
              Ishwar Kanse Ishwar Kanse
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: