-
Bug
-
Resolution: Unresolved
-
Undefined
-
None
-
Logging 5.9
-
False
-
-
False
-
NEW
-
NEW
-
-
-
Critical
Description of problem:
When given `Namespaced access` [0] , a couple of issues appears:
- From the "Developer" view
- From the "Administrator" view making not functional to use "Namespaced access" [0] permissions from the perspective of a normal user.
Below they are detailed the scenarios working and not working.
Version-Release number of selected component (if applicable):
OpenShift 4.14
CLO and Loki Operator versions 5.9.8
How reproducible:
Developer and Administrator view
In the OCP Console exists two possible views:
- `Developer`: where not administration permissions are needed.
- `Administrator`: where it's expected that the user has admin permissions.
TESTS done
ENV
OCP 4.14.35
CLO and Loki Operator: 5.9.8
Users: ocasalsa and test
Namespaces:
- `ocasalsa` user owner of the namespace `ocasalsa-test`. User `test` has not access to the namespace `ocasalsa-test`
- `test` user owner of the namespace `test-test`. User `ocasalsa` has not access to it
For user ocasalsa from the Developer view
1. Accessing to the logs in the own namespace ocasalsa-test
From the `Console > Observe > Logs` (Developer overview) was created the roleBinding using the yaml `user_ocasalsa_namespace_ocasalsa_roleBinding.yaml`. See screenshot `user_ocasalsa_namespace_ocasalsa_roleBinding.png` where logs are visible
Result: this scenario works as expected
2. Accessing to the logs in the namespace test-test
This should be the same that the "Fine Grained access for Loki logs: Namespaced access" [0]
Created the roleBinding using the file `user_ocasalsa_namespace_test_roleBinding.yaml` for allowing the access to the logs coming from the namespace `test-test`. See screenshot `user_ocasalsa_namespace_test_roleBinding.png`.
Issues: The namespace `test-test` is not in the list, but it's possible to query it as visible in the screenshot `user_ocasalsa_namespace_test_1.png` introducing the namespace by hand in the query like:
{ log_type="application", kubernetes_namespace_name="test-test" } | json
Result: this scenario fails. It's a problem only in the Console as the permissions to access to the logs on the Loki side are working, but not listed the namespaces in the OCP Console for being selected by the user
3. Accessing to the logs in the namespace test-test giving permissions to a group
This should be the same that the "Fine Grained access for Loki logs: Namespaced access" [0]
Remove the roleBinding in the step 2 that was allowing to the user `ocasalsa` to access to the logs in the namespace `test-test`
$ oc delete RoleBinding view-application-logs -n test-test
rolebinding.rbac.authorization.k8s.io "view-application-logs" deleted
Verify that not able to see with the user ocasalsa logs from the namespace `test-test`. See screenshot `user_ocasalsa_namespace_ocasalsa_roleBinding_removed.png`
Create a new group called `loki-ns-group` and introduce the user `ocasalsa` inside of it:
$ oc adm groups add-users loki-ns-group ocasalsa
group.user.openshift.io/loki-ns-group added: "ocasalsa"
Create the roleBinding to give permissions to the group `loki-ns-group` to view the logs from the namespace `test-test` using the yaml file `group_loki-ns-group_namespace_test_roleBinding.yaml`
Confirm that the user `ocasalsa` is able to see the logs for the namespace `test-test`. See screenshot `group_loki-ns-group_namespace_test_roleBinding.png`.
Result: this scenario works as expected
For user ocasalsa from the Administrator view
Add clusterRole `cluster-monitoring-view` to the user `ocasalsa` to be able to see in the "Administrator" view the `Observe` menu
$ oc adm policy add-cluster-role-to-user cluster-monitoring-view ocasalsa
Given the permissions to the user `ocasalsa` to access to the logs as observed in the point 3 before to the namespace `test-test`. The user ocasalsa is able:
- To see the logs for the namespace `test-test` from the Developer view
- It's not able to see the logs for the namespace `test-test` from the Administrator view and receiving the errors:
- error message `Missing permissions to get logs`, but this error is not correct as the user has them as indicated in the previous steps were given. See screenshot attached for the error `administrator_view_error_1.png`
- when trying to list the namespaces from the filters receiving the error `namespaces is forbidden: User "ocasalsa" cannot list resource "namespaces" in API group "" at the cluster scope"` . It's true that the `cluster-monitoring-operator` role gives the verb `get` and not the verb `list`, then, or it needs to be documented or it needs to be changed at the console level, but from the point of view of an user, it's not working as documented
Result: this scenario fails. The two errors returned by the Console are not good as:
- The user is not "Missing permissions to get the logs" as it's able to get them from the "Developer" view introducing the query by hand ( from the console doesn't list the project as detailed above ). Then, if it's not expected to use the "Administrator" view and total permissions to see "ALL the logs", the error should be different
- The error `namespaces is forbidden: User "ocasalsa" cannot list resource "namespaces" in API group "" at the cluster scope` is not correct, as given permissions to `get` the namespaces when assigned the clusterRole `cluster-monitoring-view` and also given permissions through "Namespaced access" to see the logs. Then, an user'd expect to see the list of namespaces that it has log access, even, if not given the `list` verb given for the `namespaces` resource.
NOTE: if it's not expected to have a normal user without having admin access to all the logs or all the logs from a `log_type` from the "Administrator" view, then, the errors should be different to the observed in the "Administrator" view.
Workaround
Use the "Developer" view as detailes in the scenario "2. Accessing to the logs in the namespace test-test" and do the query by hand indicating the namespace from what you desire to get the logs:
{ log_type="application", kubernetes_namespace_name="test-test" } | json
