Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug 1825955: Updating Kibana to use opendistro security plugin multitenancy #1868

Merged
merged 1 commit into from Apr 22, 2020
Merged

Bug 1825955: Updating Kibana to use opendistro security plugin multitenancy #1868

merged 1 commit into from Apr 22, 2020

Conversation

ewolinetz
Copy link
Contributor

@ewolinetz ewolinetz commented Apr 6, 2020
edited

Logging in to Kibana showed that we were missing READ permissions accessing the .kibana index
Note: I'm not sure if this will need to change when we move to multitenancy via Kibana as the index will likely be different.

@ewolinetz ewolinetz requested a review from vimalk78 April 6, 2020 22:03
@ewolinetz
Copy link
Contributor Author

/hold

@openshift-ci-robot openshift-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Apr 6, 2020
@openshift-ci-robot openshift-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Apr 6, 2020
@ewolinetz
Copy link
Contributor Author

we also seem to be missing index patterns for users... i'll add it onto here

@ewolinetz ewolinetz force-pushed the missing_kibana_pattern branch 3 times, most recently from 5625254 to e17ab57 Compare April 7, 2020 19:56
@ewolinetz
Copy link
Contributor Author

@jcantrill @vimalk78
we still don't have index patterns created for users yet... that might need to happen with the multitenant work... we also will need to figure out how to limit users to their kibana indices. CRUD is so they can create things like visualizations in their namespace.. but it also lets them delete indexpatterns i believe.

However, with an index pattern manually created i can see logs each user is only allowed to see with the following changes.

@jcantrill
Copy link
Contributor

@jcantrill @vimalk78
we still don't have index patterns created for users yet... that might need to happen with the multitenant work...

We originally discussed this being static, atleast for admins. @lukas-vlcek is there a way insert a document when an index is created?

we also will need to figure out how to limit users to their kibana indices. CRUD is so they can create things like visualizations in their namespace.. but it also lets them delete indexpatterns i believe.

If user's are limited to their own tenant, then this isn't an issue. If all user's are using a single tenant then I don't see how we can offer the ability to create visualizations. For starters we may need to limit them to only querying for logs and possibly even identifying how to make that happen for them.

However, with an index pattern manually created i can see logs each user is only allowed to see with the following changes.

@ewolinetz ewolinetz changed the title Adding required kibana index match for user [WIP] Adding required kibana index match for user Apr 8, 2020
@openshift-ci-robot openshift-ci-robot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Apr 8, 2020
@ewolinetz ewolinetz changed the title [WIP] Adding required kibana index match for user [WIP] Updating Kibana to use opendistro security plugin multitenancy Apr 15, 2020
@ewolinetz ewolinetz force-pushed the missing_kibana_pattern branch 2 times, most recently from 6799388 to aa9634d Compare April 15, 2020 22:41
@ewolinetz
Copy link
Contributor Author

seeing an issue where plugin status gets stuck with the following after a kibana restart:
plugin:opendistro_security@6.8.1 | Setting up index template.

need to investigate further

@ewolinetz
Copy link
Contributor Author

ewolinetz commented Apr 16, 2020
edited

seeing an issue where plugin status gets stuck with the following after a kibana restart

I believe this is stemming from the fact that the kibana server is being assigned the project_user role and it lacks necessary permissions...

Update: fixed -- for some reason my kibana user was missing a cluster perm

@ewolinetz
Copy link
Contributor Author

/refresh

@ewolinetz
Copy link
Contributor Author

/test images

@ewolinetz
Copy link
Contributor Author

/refresh

@ewolinetz
Copy link
Contributor Author

/retest

@ewolinetz
Copy link
Contributor Author

need to rebase after #1879 merges

@ewolinetz
Copy link
Contributor Author

/retest

1 similar comment
@ewolinetz
Copy link
Contributor Author

/retest

@ewolinetz
Copy link
Contributor Author

/retest

@ewolinetz
Copy link
Contributor Author

/refresh

@ewolinetz
Copy link
Contributor Author

/retest

@ewolinetz ewolinetz changed the title Updating Kibana to use opendistro security plugin multitenancy Bug 1825955: Updating Kibana to use opendistro security plugin multitenancy Apr 20, 2020
@openshift-ci-robot openshift-ci-robot added the bugzilla/severity-unspecified Referenced Bugzilla bug's severity is unspecified for the PR. label Apr 20, 2020
@openshift-ci-robot
Copy link

@ewolinetz: This pull request references Bugzilla bug 1825955, which is valid. The bug has been moved to the POST state. The bug has been updated to refer to the pull request using the external bug tracker.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target release (4.5.0) matches configured target release for branch (4.5.0)
  • bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, ON_DEV, POST, POST)

In response to this:

Bug 1825955: Updating Kibana to use opendistro security plugin multitenancy

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-ci-robot openshift-ci-robot added the bugzilla/valid-bug Indicates that a referenced Bugzilla bug is valid for the branch this PR is targeting. label Apr 20, 2020
@ewolinetz
Copy link
Contributor Author

/retest

@bparees bparees mentioned this pull request Apr 20, 2020
Closed
@ewolinetz ewolinetz mentioned this pull request Apr 20, 2020
Merged
@ewolinetz
Copy link
Contributor Author

smoke testing seems to be failing due to lack of being able to deploy CLO

@ewolinetz
Copy link
Contributor Author

/retest

1 similar comment
@ewolinetz
Copy link
Contributor Author

/retest

@openshift-ci-robot openshift-ci-robot mentioned this pull request Apr 22, 2020
Merged
@ewolinetz
Copy link
Contributor Author

/refresh

@vimalk78
Copy link
Contributor

/lgtm

@openshift-ci-robot openshift-ci-robot added the lgtm Indicates that a PR is ready to be merged. label Apr 22, 2020
@openshift-ci-robot openshift-ci-robot removed the lgtm Indicates that a PR is ready to be merged. label Apr 22, 2020
@ewolinetz
Copy link
Contributor Author

/hold cancel

@openshift-ci-robot openshift-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Apr 22, 2020
@vimalk78
Copy link
Contributor

/lgtm

@openshift-ci-robot openshift-ci-robot added the lgtm Indicates that a PR is ready to be merged. label Apr 22, 2020
@openshift-merge-robot openshift-merge-robot merged commit 1495b0a into openshift:master Apr 22, 2020
@openshift-ci-robot
Copy link

@ewolinetz: All pull requests linked via external trackers have merged: openshift/elasticsearch-operator#309, openshift/origin-aggregated-logging#1868. Bugzilla bug 1825955 has been moved to the MODIFIED state.

In response to this:

Bug 1825955: Updating Kibana to use opendistro security plugin multitenancy

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-ci-robot
Copy link

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ewolinetz, vimalk78

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vimalk78 vimalk78 vimalk78 requested changes

@alanconway alanconway Awaiting requested review from alanconway

@igor-karpukhin igor-karpukhin Awaiting requested review from igor-karpukhin

Assignees

@vimalk78 vimalk78

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. bugzilla/severity-unspecified Referenced Bugzilla bug's severity is unspecified for the PR. bugzilla/valid-bug Indicates that a referenced Bugzilla bug is valid for the branch this PR is targeting. lgtm Indicates that a PR is ready to be merged.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@ewolinetz @jcantrill @openshift-ci-robot @vimalk78 @openshift-merge-robot