Uploaded image for project: 'OpenShift Logging'
  1. OpenShift Logging
  2. LOG-6323

Non-cluster-admin users can't use "streaming log" under "Aggregated Logs" tab in the web console.

XMLWordPrintable

    • False
    • None
    • False
    • NEW
    • NEW
    • Important

      Description of problem:

      - Non-cluster-admin users can't use "streaming log" under "Aggregated Logs" tab in the web console with "WebSocket error"    
      - Non-cluster-admin users can't to see streaming log with specified labels.

      Version-Release number of selected component (if applicable):

      - OCP4.14.z
      - OpenShift Logging 5.8.z / 5.9.z
      - LokiStack 5.8.z / 5.9.z

      How reproducible:

      1. Create test users 
      - project-admin
      - users who have a project view role
      - users bonded with view-application-logs clusterrole binding
      - cluster-admin 
      
      2. Login the OCP web console
      
      3. Administrator > Workloads > Pods > Aggregated Logs > Push streaming button(there is a play button right side)

      Steps to Reproduce:

      1. project-admin user try "Run Query"
      
      1) Administrator > Workloads > Pods > Aggregated Logs > Run Query
      2) Console shows Forbidden error with "Missing permissons to get logs"
      3) Grant this role to the user. Create the RoleBinding
      ~~~
      apiVersion: rbac.authorization.k8s.io/v1
      kind: RoleBinding
      metadata:
        name: view-application-logs
        namespace: <namespace>
      roleRef:
        apiGroup: rbac.authorization.k8s.io
        kind: ClusterRole
        name: cluster-logging-application-view
      subjects:
      - kind: User
        name: <username>
        apiGroup: rbac.authorization.k8s.io
      ~~~
      4) "Run Query" Shows Meesage in the web console    
      
      2. The project-admin user try pushing log streaming button
      1) Administrator > Workloads > Pods > Aggregated Logs > Push streaming button
      2) Console shows "WebSocket error" => But this is working with cluster-admin user.
           

      Actual results:

      - Console shows "WebSocket error"
      - Users can't show streaming logs in Aggregated Logs
      
      # Console logs show 403 Forbidden status when pushing the streaming logs button.
      2024/10/25 06:32:41 Failed to dial backend: 'websocket: bad handshake' Status: '403 Forbidden' URL: 'https://logging-loki-gateway-http.openshift-logging.svc.cluster.local:8080/api/logs/v1/application/loki/api/v1/tail?query=%7B+kubernetes_pod_name%3D%22istiod-basic-6588b457ff-7fn6l%22+%7D+%7C%3D+%60terminated%60+%7C+json&limit=200'
      2024/10/25 06:33:00 Failed to dial backend: 'websocket: bad handshake' Status: '403 Forbidden' URL: 'https://logging-loki-gateway-http.openshift-logging.svc.cluster.local:8080/api/logs/v1/application/loki/api/v1/tail?query=%7B+kubernetes_pod_name%3D%22istiod-basic-6588b457ff-7fn6l%22+%7D+%7C%3D+%60terminated%60+%7C+json&limit=200'

      Expected results:

      - project-admin and users who has log viewing role in the project can see streaming logs in Aggregated Logs with specified labels.

      Additional info:

      - Please see attachment screen shots.
      - These are web console error messages with a project-admin user

        1. aggregated_log_run_query.png
          142 kB
          Sophia Hyosun Kim
        2. streaming_log_websocket_error.png
          107 kB
          Sophia Hyosun Kim

              Unassigned Unassigned
              rhn-support-hyoskim Sophia Hyosun Kim
              Anping Li Anping Li
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated: