Details
-
Bug
-
Resolution: Done
-
Undefined
-
Logging 5.6.0
-
False
-
None
-
False
-
NEW
-
VERIFIED
-
Log Storage - Sprint 223, Log Storage - Sprint 224, Log Storage - Sprint 225
Description
How reproducible:
Always
Steps to Reproduce:
1. Forward all logs from Fluentd to Lokistack
-- apiVersion: "logging.openshift.io/v1" kind: "ClusterLogging" metadata: name: "instance" namespace: openshift-logging spec: managementState: "Managed" logStore: type: "lokistack" lokistack: name: lokistack-sample collection: type: "fluentd" -- apiVersion: logging.openshift.io/v1 kind: ClusterLogForwarder metadata: name: instance namespace: openshift-logging spec: pipelines: - name: all-to-defaultES inputRefs: - infrastructure - application - audit outputRefs: - default
2. Check the audit logs via kube-admin
logcli -o raw --tls-skip-verify --bearer-token="${kubeadmin_bearer_token}" --addr="https://${lokistack_route}/api/logs/v1/audit" query --limit=3 '
3. Check the audit logs via testuser-1 who has cluster-admin roles
oc adm policy add-cluster-role-to-user cluster-admin testuser-1
logcli -o raw --tls-skip-verify --bearer-token="${testuser1_bearer_token}" --addr="https://${lokistack_route}/api/logs/v1/audit" query --limit=3 '{log_type="audit"}
'
Expected result:
Both kube-admin and testuser-1 can see audit logs
Actual result:
kube-admin can see all logs
testuser-1 can not see audit logs
Attachments
Issue Links
- clones
-
-
- Closed
-
