Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Elasticsearch logging authorisation issue with X-Pack #22793

Open
chendo opened this issue Sep 11, 2019 · 0 comments

Comments

@chendo
Copy link

commented Sep 11, 2019

**What kind of request is this (question/bug/enhancement/feature request): ** BUG

Steps to reproduce (least amount of steps as possible):

  1. Set up Elasticsearch cluster with X-Pack on.
  2. Create an ES role called rancher_logging and grant `logs-* all index operations.
  3. Create ES user named rancher_logging with password.
  4. Test project logging with above credentials.
  5. Test passes
  6. Save logging configuration.

Result:

No logs are shipped to elasticsearch.

Other details that may be helpful:

It turns out that the logging agent performs a HEAD / and GET / and expects a 2xx before shipping logs, which is not validated when testing the logging configuration. The ES role must have monitor permission otherwise this request will fail and the user will have to spend time debugging what is wrong.

Either the TEST button should confirm HEAD / and GET / 2xxs accordingly, or this check should be removed.

Environment information
v2.2.6, single master.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
1 participant
You can’t perform that action at this time.