Fix wrong 'archiveLink' for operations user

[josefkarasek]

Opening this PR mostly to get feedback. I'll open a new PR against 3.9 and 3.10 ones the fix is ready, with proper grunt build and test.

fixes https://bugzilla.redhat.com/show_bug.cgi?id=1587807

[spadgett]

This is checking that you can view the log you're already viewing... @jcantrill Is this really what we want?

[jcantrill]

This specific issue is that we changed the available index patterns if you are an operations user. You used to get a list of every project in the cluster which was exceedingly long and we modified the seeding to provide only one which matched them all with 'project.*'. The complementary change was not captured in the web console. Operations users are being redirected to Kibana to use an index-pattern which does not exist.

Here we are trying to determine if the use is an operations user by using the same SAR we use in the multi-tenant plugin.

[spadgett]

Here we are trying to determine if the use is an operations user by using the same SAR we use in the multi-tenant plugin.

What SAR specifically do you have?

[josefkarasek]

Only operations users should be able to view pods/log from the logging project, so:

oc auth can-i view pods/log -n openshift-logging

[spadgett]

These two lines can be collapsed into a single if condition

[josefkarasek]

@spadgett This function is confusing me - the third parameter, project, makes the function behave in a way that I don't understand.

When I run the following code while browsing any project other than openshift-logging, logged in as cluster-admin

canI(podsLogVersion, 'view', 'openshift-logging'');

the function evaluates to false. But when I browse pods/log from openshift-logging project, the function evaluates to true. I'm trying to write something like:

oc adm policy who-can view pods/log -n openshift-logging

and weirdly enough, I get that functionality when I don't specify the project in the function call.
I have to take in consideration that the user is either operations user (who can view project & operations logs) or a regular user.

Any idea how to translate the above oc adm command to a API call? Thank you.

[spadgett]

If you need to check a specific permission in another project, you should use SelfSubjectAccessReview

[josefkarasek]

That's what the canI filter does under the hood, isn't it?
I'm trying to use its projectName argument, I assume that

AuthorizationService.canI(resource, verb, projectName)

will issue a request against the Authorization API and SSAR is used on the server, or not?

[spadgett]

No, that's not what it does... You should run a separate SelfSubjectAccessReview request to check access in another project.

[josefkarasek]

Is there some support for it in the code base?

[spadgett]

No, but it should be pretty easy to call DataService.create with a SelfSubjectAccessReview object:

https://kubernetes.io/docs/reference/access-authn-authz/authorization/#checking-api-access

[josefkarasek]

That's the hint I was hoping for, thanks a lot!

[josefkarasek]

I tried to add SSAR to preferredVersions but somehow this change didn't take effect, even after grunt build.
@spadgett can you advice how to add it?

[spadgett]

Don't worry about adding a preferred version. You'd need to update the origin-web-common repo and cut a release. I don't think it's worth it here.

[josefkarasek]

@spadgett @jcantrill I'm struggling with the async nature of promises. As this function is not called externally (click on a button etc), at this point log view is blocked. Can you help me how to make sure this promise gets evaluated?

[josefkarasek]

I had an issue with my VM, all log files disappeared from the file system. That's why I was seeing weird behavior in the console. The code should be fine.

[josefkarasek]

Will delete once the fix is ready.

[spadgett]

Make sure the API version in the request is the same as the endpoint you're calling. I believe it would be

DataService.create({ group: 'authorization.k8s.io', version: 'v1', resource: 'selfsubjectaccessreviews'}, ...

[spadgett]

We should be caching this response somewhere so we only check it once per session. You probably want to move this into an Angular service.

[josefkarasek]

What if I remove role from a user? That could be a possible danger it that user is logged in a session and has dirty cash.

[josefkarasek]

Disregard, we'll do another round of auth on our side.

[spadgett]

/cc @jcantrill

Jeff should review as well

[josefkarasek]

Depends on openshift/origin-web-common#342

[josefkarasek]

@jcantrill there are still a few issues that need to be resolved

1. The 'Archive link' button sends a kibana search query[1] in the request's body,
   which is discarded during the oauth process (http 302 redirects remove the body).
   As a result the user lands at default kibana index pattern

2. The token sent in the request body[1] is ignored by the proxy.
   Oauth proxy can be configured to read Authorization: Bearer: token header.
   Problem in our case is that the web console uses tokens with scope user:info user:check-access,
   but we need user:info user:check-access user:list-projects scope so that Elasticsearch plugin can use this token to check whether the user is operations user.

[1] https://github.com/openshift/origin-web-console/blob/master/app/views/directives/logs/_log-viewer.html#L10-L16

[spadgett]

If you guys have switched to the OAuth proxy, I don't think we should be sending the token from the console at all anymore, correct?

cc @jwforres

[jwforres]

the original discussion was the switch to using the oauth proxy was supposed to be transparent to console users and that the existing token mechanism was going to behave the same

the discussion about changing the behavior to stop passing token had been a converged console discussion

[jcantrill]

@jwforres @spadgett I incorrectly was under the impression the oauth-proxy was able to function in the same manor as the original proxy. Pending investigation from @josefkarasek about if it its possible to function in the previous capacity, we may need to revert the proxy being used in order to not have a functional regression. We discussed within the logging team regarding the 4.0 release not having a link from console to kibana which means this work would be uneeded. It means however we need to continue to release the old proxy which I was hoping to avoid

[josefkarasek]

@jcantrill @spadgett please let me know what you think. I will then update the PR so we can finish this. Thank you

[jcantrill]

@josefkarasek @spadgett this #3067 will resolve the form post/get issue

[jcantrill]

This is not defined in this repo. Please move to this repo per @spadgett request

[josefkarasek]

It's in vendor.js

[jcantrill]

You are missing the point. The intention is not do any other release of origin-web-common. All the files in 'dist' are generated files that are vendored in through an automated process. The recommendation is o close #342 and move the file to origin-web-console

[jcantrill]

I don't think this needs to be encapsulated this way but I defer to @spadgett. You should be able to simply call:
AggregatedLoggingService.isOperationsUser(currentUser) and assign it to a var. and then pass it in as a param to archiveURI

[spadgett]

It has to be a promise since it makes a selfsubjectaccessreview request to the server, which is asynchronous

[spadgett]

We try to keep these alphabetized

[spadgett]

This should not need to take in a user name since it uses self subject access review. (The cached data will be cleared on logout because the page is reloaded, so that's not a problem here.)

[spadgett]

This seems like overkill since we are only ever storing one value (if the current user is an operations user)

[spadgett]

I don't think this is needed since you should never have multiple in flight requests for this specific permission

[spadgett]

I wouldn't worry about forcing refresh... This permission does not change often. Let's just always use the cached value.

[spadgett]

Why not just...

return $q.when(userAllowed.allowed);

[spadgett]

ng-href

Why does this have button styling? It should just be a normal link.

[spadgett]

if (canViewOperationsLogs && (!prefix || prefix.startsWith('project.')) {

[josefkarasek]

@spadgett are you happy with the latest changes?
If yes, what do we need to do to have this patch merged? This PR is against master, is that ok?
I ran tests against okd 3.10 with latest logging images and they pass.

[spadgett]

return userAllowed;

[spadgett]

return false;

[spadgett]

You don't need to create a Promise yourself. Just return the Promise from DataService.create

return DataService.create(...).then(...);

[spadgett]

style nit: i think the extra parens around canViewOperationsLogs actually make it harder to read

[spadgett]

I'd switch this to an early return if we have a cached value. It's easier to reason about.

if (userAllowed !== undefined) {
  return $q.when(userAllowed);
}

var ssar = { ... };
return DataService.create(...).then(...);

[spadgett]

[FATAL] Built /dist does not match what is committed, run 'grunt build' and include the results in your commit.

[spadgett]

LGTM but there seems to be a dist mismatch

[spadgett]

I'm not sure if this is still needed now that it's a link instead of a form. You can probably get rid of the trustAsResourceUrl call

[spadgett]

Comment is out of date with the code now

[spadgett]

👍 thanks, this looks much cleaner

[josefkarasek]

@spadgett Thank you for your help and feedback. If there's still something to be done please let me know.

[spadgett]

LGTM, except please remove the incorrect comment

[spadgett]

Comment is out of date with the code now

[spadgett]

nit: indentation

[josefkarasek]

not sure what's wrong with indentation here - a new block of code - indented by 2 spaces against its parent block

[spadgett]

/lgtm

Thanks @josefkarasek 👍

[jcantrill]

/cherrypick release-3.10

[openshift-cherrypick-robot]

@jcantrill: #3060 failed to apply on top of branch "release-3.10":

error: Failed to merge in the changes.
Using index info to reconstruct a base tree...
M	app/index.html
M	app/scripts/directives/logViewer.js
M	app/scripts/services/logLinks.js
M	app/views/directives/logs/_log-viewer.html
M	dist/scripts/scripts.js
M	dist/scripts/templates.js
M	dist/scripts/vendor.js
Falling back to patching base and 3-way merge...
Auto-merging dist/scripts/vendor.js
Auto-merging dist/scripts/templates.js
Auto-merging dist/scripts/scripts.js
CONFLICT (content): Merge conflict in dist/scripts/scripts.js
Auto-merging app/views/directives/logs/_log-viewer.html
Auto-merging app/scripts/services/logLinks.js
Auto-merging app/scripts/directives/logViewer.js
CONFLICT (content): Merge conflict in app/scripts/directives/logViewer.js
Auto-merging app/index.html
Patch failed at 0001 Fix wrong 'archiveLink' for operations user

In response to this:

/cherrypick release-3.10

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[jcantrill]

@josefkarasek please backport to 3.10 and 3.9 to fix relevent issues

[spadgett]

Note that this will need some rework if we aren't using oauth proxy in 3.10 and 3.9