Fix wrong 'archiveLink' for operations user

app/index.html

@@ -185,6 +185,7 @@ <h1>JavaScript Required</h1>
         <script src="scripts/services/shims/hawtioExtension.js"></script>
         <script src="scripts/services/browserStore.js"></script>
         <script src="scripts/services/discovery.js"></script>
+        <script src="scripts/services/aggregatedLoggingService.js"></script>
         <script src="scripts/services/applicationGenerator.js"></script>
         <script src="scripts/services/navigate.js"></script>
         <script src="scripts/services/nameGenerator.js"></script>

app/scripts/directives/logViewer.js

@@ -8,9 +8,10 @@ angular.module('openshiftConsole')
     '$window',
     '$filter',
     '$q',
-    'AuthService',
+    'AggregatedLoggingService',
     'APIService',
     'APIDiscovery',
+    'AuthService',
     'DataService',
     'HTMLService',
     'ModalsService',
@@ -21,9 +22,10 @@ angular.module('openshiftConsole')
              $window,
              $filter,
              $q,
-             AuthService,
+             AggregatedLoggingService,
              APIService,
              APIDiscovery,
+             AuthService,
              DataService,
              HTMLService,
              ModalsService,
@@ -434,16 +436,19 @@ angular.module('openshiftConsole')
                 if(!(projectName && containerName && name && url)) {
                   return;
                 }
-                $scope.$watchGroup(['context.project.metadata.name', 'options.container', 'name'], function() {
-                  angular.extend($scope, {
-                    kibanaArchiveUrl: $sce.trustAsResourceUrl(logLinks.archiveUri({
-                                        baseURL: url,
-                                        namespace: $scope.context.project.metadata.name,
-                                        namespaceUid: $scope.context.project.metadata.uid,
-                                        podname: name,
-                                        containername: $scope.options.container,
-                                        backlink: URI.encode($window.location.href)
-                                      }, $filter('annotation')($scope.context.project,'loggingDataPrefix')))
+
+                AggregatedLoggingService.isOperationsUser().then(function(canViewOperationsLogs) {
+                  $scope.$watchGroup(['context.project.metadata.name', 'options.container', 'name'], function() {
+                    angular.extend($scope, {
+                      kibanaArchiveUrl: logLinks.archiveUri({
+                        baseURL: url,
+                        namespace: $scope.context.project.metadata.name,
+                        namespaceUid: $scope.context.project.metadata.uid,
+                        podname: name,
+                        containername: $scope.options.container,
+                        backlink: URI.encode($window.location.href)
+                      }, $filter('annotation')($scope.context.project,'loggingDataPrefix'), canViewOperationsLogs)
+                    });
                   });
                 });
               });

app/scripts/services/aggregatedLoggingService.js

@@ -0,0 +1,43 @@
+'use strict';
+
+angular.module("openshiftConsole")
+  .factory("AggregatedLoggingService", function($q, Logger, DataService) {
+
+    // cache previous request
+    var userAllowed;
+
+    // Create SelfSubjectAccessReview request againt authorization API to check whether
+    // current user can view pods/log from 'default' project.
+    // Users who can view such logs are 'operations' users
+    var isOperationsUser = function() {
+      if (userAllowed !== undefined) {
+        // Using cached data.
+        Logger.log("AggregatedLoggingService, using cached user");
+        return $q.when(userAllowed);
+      }
+      Logger.log("AggregatedLoggingService, loading whether user is Operations user");
+      var ssar = {
+        apiVersion: 'authorization.k8s.io/v1',
+        kind: 'SelfSubjectAccessReview',
+        spec: {
+          resourceAttributes: {
+            resource: 'pods/log',
+            namespace: 'default',
+            verb: 'view'
+          }
+        }
+      };
+      return DataService.create({ group: 'authorization.k8s.io', version: 'v1', resource: 'selfsubjectaccessreviews'},
+                        null, ssar, {namespace: 'default'}).then(
+        function(data) {
+          userAllowed = data.status.allowed;
+          return userAllowed;
+        }, function() {
+          return false;
+      });
+    };
+
+    return {
+      isOperationsUser: isOperationsUser
+    };
+  });

app/scripts/services/logLinks.js

@@ -73,7 +73,10 @@ angular.module('openshiftConsole')
       ].join(''));
 
 
-      var archiveUri = function(opts, prefix) {
+      var archiveUri = function(opts, prefix, canViewOperationsLogs) {
+        if(canViewOperationsLogs && (!prefix || prefix.startsWith('project.'))) {
+            prefix = 'project';
+        }
         prefix = prefix || 'project.' + opts.namespace + '.' + opts.namespaceUid;
         opts.index = prefix + '.*';
 

app/views/directives/logs/_log-viewer.html

@@ -47,16 +47,8 @@ <h2>Logs are not available.</h2>
     {{emptyStateMessage}}
   </p>
 
-  <div ng-if="kibanaAuthUrl">
-    <form
-      action="{{kibanaAuthUrl}}"
-      method="POST">
-      <input type="hidden" name="redirect" value="{{kibanaArchiveUrl}}">
-      <input type="hidden" name="access_token" value="{{access_token}}">
-      <button class="btn btn-primary btn-lg">
-        View Archive
-      </button>
-    </form>
+  <div ng-if="kibanaArchiveUrl">
+    <a href="{{kibanaArchiveUrl}}">View Archive</a>
   </div>
 </div>