Uploaded image for project: 'OpenShift Logging'
  1. OpenShift Logging
  2. LOG-6323

Non-cluster-admin users can't use "streaming log" under "Aggregated Logs" tab in the web console.

XMLWordPrintable

    • False
    • None
    • False
    • NEW
    • NEW
    • Important

      Description of problem:

      - Non-cluster-admin users can't use "streaming log" under "Aggregated Logs" tab in the web console with "WebSocket error"    
- Non-cluster-admin users can't to see streaming log with specified labels.

      Version-Release number of selected component (if applicable):

      - OCP4.14.z
- OpenShift Logging 5.8.z / 5.9.z
- LokiStack 5.8.z / 5.9.z

      How reproducible:

      1. Create test users 
- project-admin
- users who have a project view role
- users bonded with view-application-logs clusterrole binding
- cluster-admin 

2. Login the OCP web console

3. Administrator > Workloads > Pods > Aggregated Logs > Push streaming button(there is a play button right side)

      Steps to Reproduce:

      1. project-admin user try "Run Query"

1) Administrator > Workloads > Pods > Aggregated Logs > Run Query
2) Console shows Forbidden error with "Missing permissons to get logs"
3) Grant this role to the user. Create the RoleBinding
~~~
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: view-application-logs
  namespace: <namespace>
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-logging-application-view
subjects:
- kind: User
  name: <username>
  apiGroup: rbac.authorization.k8s.io
~~~
4) "Run Query" Shows Meesage in the web console    

2. The project-admin user try pushing log streaming button
1) Administrator > Workloads > Pods > Aggregated Logs > Push streaming button
2) Console shows "WebSocket error" => But this is working with cluster-admin user.
    

      Actual results:

      - Console shows "WebSocket error"
- Users can't show streaming logs in Aggregated Logs

# Console logs show 403 Forbidden status when pushing the streaming logs button.
2024/10/25 06:32:41 Failed to dial backend: 'websocket: bad handshake' Status: '403 Forbidden' URL: 'https://logging-loki-gateway-http.openshift-logging.svc.cluster.local:8080/api/logs/v1/application/loki/api/v1/tail?query=%7B+kubernetes_pod_name%3D%22istiod-basic-6588b457ff-7fn6l%22+%7D+%7C%3D+%60terminated%60+%7C+json&limit=200'
2024/10/25 06:33:00 Failed to dial backend: 'websocket: bad handshake' Status: '403 Forbidden' URL: 'https://logging-loki-gateway-http.openshift-logging.svc.cluster.local:8080/api/logs/v1/application/loki/api/v1/tail?query=%7B+kubernetes_pod_name%3D%22istiod-basic-6588b457ff-7fn6l%22+%7D+%7C%3D+%60terminated%60+%7C+json&limit=200'

      Expected results:

      - project-admin and users who has log viewing role in the project can see streaming logs in Aggregated Logs with specified labels.

      Additional info:

      - Please see attachment screen shots.
- These are web console error messages with a project-admin user

        1. aggregated_log_run_query.png
          aggregated_log_run_query.png
          142 kB
        2. streaming_log_websocket_error.png
          streaming_log_websocket_error.png
          107 kB

              Unassigned Unassigned
              rhn-support-hyoskim Sophia Hyosun Kim
              Anping Li Anping Li
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated: