Details
-
Bug
-
Resolution: Done
-
Normal
-
Logging 5.3.0
-
False
-
None
-
False
-
NEW
-
VERIFIED
-
-
?
-
Log Storage - Sprint 227, Log Storage - Sprint 228
-
Moderate
-
QE Confirmed
Description
Description of problem:
Following error intermittingly when logging in to Kibana:-
{"statusCode":401,"error":"Unauthorized","message":"Authentication Exception"}
It started when the duration of the oauth session has been changed to 10 mins (enforced by a Red Hat compliance operator remediation as per CIS guidelines):
~~~
$ oc get oauth cluster -o yaml
apiVersion: config.openshift.io/v1
kind: OAuth
metadata:
annotations:
include.release.openshift.io/ibm-cloud-managed: "true"
include.release.openshift.io/self-managed-high-availability: "true"
include.release.openshift.io/single-node-developer: "true"
release.openshift.io/create-only: "true"
creationTimestamp: "2022-05-14T11:47:47Z"
generation: 7
name: cluster
ownerReferences:
- apiVersion: config.openshift.io/v1
kind: ClusterVersion
name: version
uid: c7248601-bee7-45c0-956e-e02e2c3eb720
resourceVersion: "44916907"
uid: 753258e4-d31b-453f-a7b8-52a63f018840
spec:
identityProviders:
- ldap:
attributes:
email:
- mail
id:
- desktopProfile
name:
- cn
preferredUsername:
- desktopProfile
bindDN: CN=SRVAPPOCPLDAPDEV01,OU=Application Admins Service Accounts,OU=Application Admins,OU=Shared Services,DC=global,DC=lloydstsb,DC=com
bindPassword:
name: ldap-secret
ca:
name: lbg-ldaps-cert
insecure: false
url: ldaps://dcrlgv0006.global.lloydstsb.com:636/DC=global,DC=lloydstsb,DC=com?desktopProfile
mappingMethod: add
name: global.lloydstsb.com
type: LDAP
tokenConfig:
accessTokenInactivityTimeout: 10m0s
accessTokenMaxAgeSeconds: 32400
~~~
- We can not increase the accessTokenInactivityTimeout to more due to compliance check.
Slack with Logging Engineering: https://coreos.slack.com/archives/CB3HXM2QK/p1660736656526239
Version-Release number of selected component (if applicable):
How reproducible:
The sequence of events is (see attached mp4):
Log onto the OCP UI Select logging - this prompts for another oauth log in After a period of inactivity, kibana reports as being unauthorized If you then log onto the OCP UI and select LOGGING it returns the 401 unauthorized error - if you look at the cookies there is one named _oauth_proxy for the kibana-openshift-logging.apps.<cluster> domain - if you delete this cookie and refresh you a prompted to log in as per step 2.
Actual results: The presence of the _oauth_proxy cookie is causing the problem and we must delete it manually lo log in back.
Expected results:
Not having login issues.
Additional info:
Attachments
Issue Links
- is cloned by
-
-
- Closed
-
- links to
- mentioned on
