Uploaded image for project: 'OpenShift Logging'
  1. OpenShift Logging
  2. LOG-3306

[release-5.4] Kibana Authentication Exception cookie issue

XMLWordPrintable

    • False
    • None
    • False
    • NEW
    • VERIFIED
    • Hide
      Before fix, Kibana had a fixed 24h OAuth cookie expiration time, which resulted in 401 errors in Kibana whenever the accessTokenInactivityTimeout was set to a value lower than 24h. After the fix, Kibana's OAuth cookie expiration time is synchronized to the accessTokenInactivityTimeout, with a default of 24h in case the latter is not defined.
      Show
      Before fix, Kibana had a fixed 24h OAuth cookie expiration time, which resulted in 401 errors in Kibana whenever the accessTokenInactivityTimeout was set to a value lower than 24h. After the fix, Kibana's OAuth cookie expiration time is synchronized to the accessTokenInactivityTimeout, with a default of 24h in case the latter is not defined.
    • Log Storage - Sprint 227, Log Storage - Sprint 228
    • Moderate
    • QE Confirmed
    • ?

      Description of problem:

      Following error intermittingly when logging in to Kibana:-
      
      {"statusCode":401,"error":"Unauthorized","message":"Authentication Exception"}
      
      It started when the duration of the oauth session has been changed to 10 mins (enforced by a Red Hat compliance operator remediation as per CIS guidelines):
      
      ~~~
      $ oc get oauth cluster -o yaml
      apiVersion: config.openshift.io/v1
      kind: OAuth
      metadata:
       annotations:
        include.release.openshift.io/ibm-cloud-managed: "true"
        include.release.openshift.io/self-managed-high-availability: "true"
        include.release.openshift.io/single-node-developer: "true"
        release.openshift.io/create-only: "true"
       creationTimestamp: "2022-05-14T11:47:47Z"
       generation: 7
      
       name: cluster
       ownerReferences:
       - apiVersion: config.openshift.io/v1
        kind: ClusterVersion
        name: version
        uid: c7248601-bee7-45c0-956e-e02e2c3eb720
       resourceVersion: "44916907"
       uid: 753258e4-d31b-453f-a7b8-52a63f018840
      spec:
       identityProviders:
       - ldap:
         attributes:
          email:
          - mail
          id:
          - desktopProfile
          name:
          - cn
          preferredUsername:
          - desktopProfile
         bindDN: CN=SRVAPPOCPLDAPDEV01,OU=Application Admins Service Accounts,OU=Application Admins,OU=Shared Services,DC=global,DC=lloydstsb,DC=com
         bindPassword:
          name: ldap-secret
         ca:
          name: lbg-ldaps-cert
         insecure: false
         url: ldaps://dcrlgv0006.global.lloydstsb.com:636/DC=global,DC=lloydstsb,DC=com?desktopProfile
        mappingMethod: add
        name: global.lloydstsb.com
        type: LDAP
       tokenConfig:
        accessTokenInactivityTimeout: 10m0s
        accessTokenMaxAgeSeconds: 32400
      ~~~
      
      
      
      
      
      - We can not increase the accessTokenInactivityTimeout to more due to compliance check.
      
      Slack with Logging Engineering: https://coreos.slack.com/archives/CB3HXM2QK/p1660736656526239  

      Version-Release number of selected component (if applicable):

       

      How reproducible:

       

      The sequence of events is (see attached mp4):

      Log onto the OCP UI Select logging - this prompts for another oauth log in After a period of inactivity, kibana reports as being unauthorized If you then log onto the OCP UI and select LOGGING it returns the 401 unauthorized error - if you look at the cookies there is one named _oauth_proxy for the kibana-openshift-logging.apps.<cluster> domain - if you delete this cookie and refresh you a prompted to log in as per step 2.

       

      Actual results: The presence of the _oauth_proxy cookie is causing the problem and we must delete it manually lo log in back.

       

      Expected results:

      Not having login issues.

      Additional info:

       

       

       

              rh-ee-mbouqsim Mohamed-Amine Bouqsimi (Inactive)
              rhn-support-dahernan David Hernandez Fernandez
              Anping Li Anping Li
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: