-
Bug
-
Resolution: Done
-
Normal
-
Logging 5.3.0
-
False
-
None
-
False
-
NEW
-
VERIFIED
-
-
Log Storage - Sprint 227, Log Storage - Sprint 228
-
Moderate
-
QE Confirmed
-
?
Description of problem:
Following error intermittingly when logging in to Kibana:- {"statusCode":401,"error":"Unauthorized","message":"Authentication Exception"} It started when the duration of the oauth session has been changed to 10 mins (enforced by a Red Hat compliance operator remediation as per CIS guidelines): ~~~ $ oc get oauth cluster -o yaml apiVersion: config.openshift.io/v1 kind: OAuth metadata: annotations: include.release.openshift.io/ibm-cloud-managed: "true" include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" release.openshift.io/create-only: "true" creationTimestamp: "2022-05-14T11:47:47Z" generation: 7 name: cluster ownerReferences: - apiVersion: config.openshift.io/v1 kind: ClusterVersion name: version uid: c7248601-bee7-45c0-956e-e02e2c3eb720 resourceVersion: "44916907" uid: 753258e4-d31b-453f-a7b8-52a63f018840 spec: identityProviders: - ldap: attributes: email: - mail id: - desktopProfile name: - cn preferredUsername: - desktopProfile bindDN: CN=SRVAPPOCPLDAPDEV01,OU=Application Admins Service Accounts,OU=Application Admins,OU=Shared Services,DC=global,DC=lloydstsb,DC=com bindPassword: name: ldap-secret ca: name: lbg-ldaps-cert insecure: false url: ldaps://dcrlgv0006.global.lloydstsb.com:636/DC=global,DC=lloydstsb,DC=com?desktopProfile mappingMethod: add name: global.lloydstsb.com type: LDAP tokenConfig: accessTokenInactivityTimeout: 10m0s accessTokenMaxAgeSeconds: 32400 ~~~ - We can not increase the accessTokenInactivityTimeout to more due to compliance check. Slack with Logging Engineering: https://coreos.slack.com/archives/CB3HXM2QK/p1660736656526239
Version-Release number of selected component (if applicable):
How reproducible:
The sequence of events is (see attached mp4):
Log onto the OCP UI Select logging - this prompts for another oauth log in After a period of inactivity, kibana reports as being unauthorized If you then log onto the OCP UI and select LOGGING it returns the 401 unauthorized error - if you look at the cookies there is one named _oauth_proxy for the kibana-openshift-logging.apps.<cluster> domain - if you delete this cookie and refresh you a prompted to log in as per step 2.
Actual results: The presence of the _oauth_proxy cookie is causing the problem and we must delete it manually lo log in back.
Expected results:
Not having login issues.
Additional info:
- clones
-
LOG-3305 [release-5.5] Kibana Authentication Exception cookie issue
- Closed
- links to
- mentioned on