Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Major
Fix Version/s: Logging 5.9.0
Affects Version/s: Logging 5.9.0
Component/s: Log Storage
Labels:
- devel_ack+
- no-rn

Blocked:
False
Blocked Reason:
None
Ready:
False
Epic Link:
Loki - Efficient OTEL Support
Docs QE Status:
NEW
Feature Link:
OBSDA-525 - Enable OpenTelemetry in Loki
QE Status:
VERIFIED
Release Note Type:
Release Note Not Required
Git Pull Request:
https://github.com/grafana/loki/pull/12097
Intelligence Requested:
Market:

Sprint:
Log Storage - Sprint 247, Log Storage - Sprint 248, Log Storage - Sprint 249, Log Storage - Sprint 250

SFDC Cases Links:
SFDC Cases Counter:
SFDC Cases Open:

Description:
When LokiStack is configured to block queries with regex pattern, user can still query with queries matching the regex pattern.

spec:
  limits:
    tenants:
      application:
        queries:
          blocked:
            - pattern: '.*my-app.*'
              regex: true
          queryTimeout: 3m
.....

$ logcli -o raw --tls-skip-verify --bearer-token="$(oc whoami -t)" --addr="https://lokistack-dev-openshift-logging.apps.kbharti-0103a.qe.devcluster.openshift.com/api/logs/v1/application" query '{kubernetes_namespace_name="my-app"}' | tail -1
2024/01/03 14:45:38 https://lokistack-dev-openshift-logging.apps.kbharti-0103a.qe.devcluster.openshift.com/api/logs/v1/application/loki/api/v1/query_range?direction=BACKWARD&end=1704273338385011000&limit=30&query=%7Bkubernetes_namespace_name%3D%22my-app%22%7D&start=1704269738385011000
2024/01/03 14:45:40 Common labels: {kubernetes_container_name="centos-logtest", kubernetes_host="ip-10-0-4-212.us-east-2.compute.internal", kubernetes_namespace_name="my-app", kubernetes_pod_name="centos-logtest-mbs7b", log_type="application"}
{"@timestamp":"2024-01-03T09:15:08.804487774Z","file":"/var/log/pods/my-app_centos-logtest-mbs7b_0d7d2952-3c0a-49e1-af99-7dd804751b85/centos-logtest/0.log","hostname":"ip-10-0-4-212.us-east-2.compute.internal","kubernetes":{"annotations":{"k8s.v1.cni.cncf.io/network-status":"[{\n    \"name\": \"openshift-sdn\",\n    \"interface\": \"eth0\",\n    \"ips\": [\n        \"10.128.2.21\"\n    ],\n    \"default\": true,\n    \"dns\": {}\n}]","openshift.io/scc":"restricted-v2","seccomp.security.alpha.kubernetes.io/pod":"runtime/default"},"container_id":"cri-o://05700f622d8f63bf5ef6ef9c44463c74e208f9225af9ac9d40c3537ac74c4bb6","container_image":"quay.io/openshifttest/ocp-logtest@sha256:6e2973d7d454ce412ad90e99ce584bf221866953da42858c4629873e53778606","container_image_id":"quay.io/openshifttest/ocp-logtest@sha256:6e2973d7d454ce412ad90e99ce584bf221866953da42858c4629873e53778606","container_name":"centos-logtest","labels":{"run-d":"centos-logtest-dev-d","test-d":"centos-logtest-dev-d"},"namespace_id":"4fa17cbb-2009-4a24-9ea4-631ff67506e2","namespace_labels":{"kubernetes_io_metadata_name":"my-app","pod-security_kubernetes_io_audit":"restricted","pod-security_kubernetes_io_audit-version":"v1.24","pod-security_kubernetes_io_warn":"restricted","pod-security_kubernetes_io_warn-version":"v1.24"},"namespace_name":"my-app","pod_id":"0d7d2952-3c0a-49e1-af99-7dd804751b85","pod_ip":"10.128.2.21","pod_name":"centos-logtest-mbs7b","pod_owner":"ReplicationController/centos-logtest"},"level":"default","log_type":"application","message":"{\"message\": \"MERGE_JSON_LOG=true\", \"level\": \"debug\",\"Layer1\": \"layer1 0\", \"layer2\":
{\"name\":\"Layer2 1\", \"tips\":\"Decide by PRESERVE_JSON_LOG\"}
, \"StringNumber\":\"10\", \"Number\": 10,\"foo.bar\":\"Dot Item\",\"{foobar}\":\"Brace Item\",\"[foobar]\":\"Bracket Item\", \"foo:bar\":\"Colon Item\",\"foo bar\":\"Space Item\" }","openshift":{"cluster_id":"9160f4db-f7c2-4970-b148-97226fddad15","sequence":6845}}

runtime-config.yaml

---
overrides:
  application:
    query_timeout: 3m
    blocked_queries:
    - pattern: |
        .*my-app.*
      
      regex: true

How reproducible: Always

Steps to reproduce:
1) Deploy CLO and LO v5.9
2) Provision lokistack with required regex pattern
3) Forward logs to Loki
4) Query for logs on namespace which should be blocked by regex

Expected result:
Query matching regex should be blocked

Actual result:
User can query data successfully

Additional Info:
When LokiStack is setup as below, User query get denied as per policy

spec:
  limits:
    tenants:
      application:
        queries:
          blocked:
            - pattern: '{kubernetes_namespace_name="my-app-1"}'
          queryTimeout: 3m
  managementState: Managed
.....

$ logcli -o raw --tls-skip-verify --bearer-token="$(oc whoami -t)" --addr="https://lokistack-dev-openshift-logging.apps.kbharti-0103a.qe.devcluster.openshift.com/api/logs/v1/application" query '{kubernetes_namespace_name="my-app-1"}' | tail -1

2024/01/03 14:50:29 https://lokistack-dev-openshift-logging.apps.kbharti-0103a.qe.devcluster.openshift.com/api/logs/v1/application/loki/api/v1/query_range?direction=BACKWARD&end=1704273629493221000&limit=30&query=%7Bkubernetes_namespace_name%3D%22my-app-1%22%7D&start=1704270029493221000
2024/01/03 14:50:30 Error response from server: query blocked by policy
 (<nil>) attempts remaining: 0
2024/01/03 14:50:30 Query failed: run out of attempts while querying the server

runtime-config.yaml

---
overrides:
  application:
    query_timeout: 3m
    blocked_queries:
    - pattern: |
        {kubernetes_namespace_name="my-app-1"}

links to

openshift/loki#271: Update from upstream repository

openshift/openshift-tests-private#15061: Automate Loki - OTEL support cases (LOG-4538)

openshift/openshift-tests-private#15259: Add Logging case OCP-70685

Assignee:: Bayan Taani

Reporter:: Kabir Bharti

QA Contact:: Kabir Bharti

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Created:: 2024/01/03 9:18 AM

Updated:: 2024/04/03 5:16 PM

Resolved:: 2024/03/09 3:58 PM

Details

Description

Attachments

Issue Links

Activity

People

Dates