Non Admin users get 'no permissions for indices:data/read/field_stats'

[jcantrill]

Logging into Kibana as a non-admin user results in a no permissions error.

Known environment:
origin 1.5

I would suggest enabling DEBUG for the openshift.elasticsearch.plugin to see th dump of the roles and rolemapping files used by SG. It looks as if we have the appropriate roles for the desired action

Debugging Kibana in the browser shows this error:

POST https://kibana.192.168.121.234.xip.io/elasticsearch/project.myproject.203f3ab1-0040-11e7-9e91-525400307efd.*/_field_stats?level=indices 403 (Forbidden)

[richm]

Cannot reproduce. Using the latest release-1.5 code. This is what I tried:

# as admin
oc login --username=loguser --password=loguser
oc login --username=system:admin
oc project logging
oadm policy add-role-to-user view loguser
# get token and use to view project.logging.* indices
get_test_user_token loguser loguser
nrecs=`curl_es_from_kibana $kibpod logging-es "project.logging." _count message a | \
       get_count_from_json`

I've also logged in to Kibana using loguser/loguser - works fine

I've also logged into OpenShift as a new user, created a new project, deployed the hello-openshift app, then logged into Kibana as that new user, and viewed the hello-openshift logs.

[jcantrill]

Built roles request: {
  "gen_project_myproject_203f3ab1-0040-11e7-9e91-525400307efd" : {
    "cluster" : [ ],
    "indices" : {
      "myproject?203f3ab1-0040-11e7-9e91-525400307efd?*" : {
        "*" : [ "indices:admin/validate/query*", "indices:admin/get*", "indices:admin/mappings/fields/get*", "indices:data/read*" ]
      },
      "project?myproject?203f3ab1-0040-11e7-9e91-525400307efd?*" : {
        "*" : [ "indices:admin/validate/query*", "indices:admin/get*", "indices:admin/mappings/fields/get*", "indices:data/read*" ]
      }
    }
  },
  "sg_role_kibana" : {
    "cluster" : [ "cluster:monitor/nodes/info", "cluster:monitor/health" ],
    "indices" : {
      "?kibana" : {
        "*" : [ "ALL" ]
      }
    }
  },
  "sg_role_curator" : {
    "cluster" : [ "CLUSTER_MONITOR" ],
    "indices" : {
      "*" : {
        "*" : [ "READ", "MANAGE" ]
      }
    }
  },
  "sg_role_fluentd" : {
    "cluster" : [ ],
    "indices" : {
      "*" : {
        "*" : [ "CREATE_INDEX", "WRITE" ]
      }
    }
  },
  "sg_role_admin" : {
    "cluster" : [ "CLUSTER_ALL" ],
    "indices" : {
      "*" : {
        "*" : [ "ALL" ]
      }
    }
  },
  "sg_project_operations" : {
    "cluster" : [ ],
    "indices" : {
      "*?*?*" : {
        "*" : [ "READ", "indices:admin/validate/query*", "indices:admin/get*", "indices:admin/mappings/fields/get*" ]
      },
      "?operations?*" : {
        "*" : [ "READ", "indices:admin/validate/query*", "indices:admin/get*", "indices:admin/mappings/fields/get*" ]
      }
    }
  },
  "gen_kibana_3dacbce532ccd48f27fa62e993067b3c35f094f7" : {
    "cluster" : [ ],
    "indices" : {
      "?kibana?3dacbce532ccd48f27fa62e993067b3c35f094f7" : {
        "*" : [ "indices:*" ]
      }
    }
  }
}

Built rolesMapping request: {
  "gen_project_myproject_203f3ab1-0040-11e7-9e91-525400307efd" : {
    "users" : [ "developer" ]
  },
  "sg_role_kibana" : {
    "users" : [ "CN=system.logging.kibana,OU=OpenShift,O=Logging" ]
  },
  "sg_role_curator" : {
    "users" : [ "CN=system.logging.curator,OU=OpenShift,O=Logging" ]
  },
  "sg_role_fluentd" : {
    "users" : [ "CN=system.logging.fluentd,OU=OpenShift,O=Logging" ]
  },
  "sg_role_admin" : {
    "users" : [ "CN=system.admin,OU=OpenShift,O=Logging" ]
  },
  "gen_kibana_3dacbce532ccd48f27fa62e993067b3c35f094f7" : {
    "users" : [ "developer" ]
  }
}

[richm]

Can only reproduce if the project has no logs. When this happens, I get this error in Kibana:

Discover: [security_exception] no permissions for indices:data/read/field_stats

[jcantrill]

Logged issue for basically the same problem: https://bugzilla.redhat.com/show_bug.cgi?id=1410694. Get Kibana message when no data exists for non-admin users.

[jcantrill]

Resolved in #519