Uploaded image for project: 'OpenShift Logging'
  1. OpenShift Logging
  2. LOG-2970

[release-5.5] [lokistack] The user with cluster-admin roles can not view the audit logs

    XMLWordPrintable

Details

    • False
    • None
    • False
    • NEW
    • VERIFIED
    • Hide
      Before this update, users which were assigned cluster-admin privileges were not able to properly view infrastructure and audit logs using the logging console. With this update, the authorization check has been extended to also recognize users in cluster-admin and dedicated-admin groups as admins.
      Show
      Before this update, users which were assigned cluster-admin privileges were not able to properly view infrastructure and audit logs using the logging console. With this update, the authorization check has been extended to also recognize users in cluster-admin and dedicated-admin groups as admins.
    • Log Storage - Sprint 223, Log Storage - Sprint 224, Log Storage - Sprint 225

    Description

      How reproducible:
      Always

      Steps to Reproduce:
      1. Forward all logs from Fluentd to Lokistack

      --
      apiVersion: "logging.openshift.io/v1"
      kind: "ClusterLogging"
      metadata:
        name: "instance"
        namespace: openshift-logging
      spec:
        managementState: "Managed"
        logStore:
          type: "lokistack"
          lokistack:
            name: lokistack-sample
        collection:
          type: "fluentd"
      --
      apiVersion: logging.openshift.io/v1
      kind: ClusterLogForwarder
      metadata:
        name: instance
        namespace: openshift-logging
      spec:
        pipelines:
          - name: all-to-defaultES
            inputRefs:
            - infrastructure
            - application
            - audit
            outputRefs:
            - default
      
      

      2. Check the audit logs via kube-admin
      logcli -o raw --tls-skip-verify --bearer-token="${kubeadmin_bearer_token}" --addr="https://${lokistack_route}/api/logs/v1/audit" query --limit=3 '

      {log_type="audit"}'


      3. Check the audit logs via testuser-1 who has cluster-admin roles
      oc adm policy add-cluster-role-to-user cluster-admin testuser-1
      logcli -o raw --tls-skip-verify --bearer-token="${testuser1_bearer_token}" --addr="https://${lokistack_route}/api/logs/v1/audit" query --limit=3 '{log_type="audit"}

      '

      Expected result:
      Both kube-admin and testuser-1 can see audit logs

      Actual result:
      kube-admin can see all logs
      testuser-1 can not see audit logs

      Attachments

        Activity

          Public project attachment banner

            context keys: [headless, issue, helper, isAsynchronousRequest, project, action, user]
            current Project key: LOG

            People

              rojacob@redhat.com Robert Jacob
              anli@redhat.com Anping Li
              Anping Li Anping Li
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: