Login issue in Kibana dashboard due to cache not being cleared in RHOCP 4
Environment
- Red Hat Openshift Container Platform
- 4
- Red Hat Logging and Elasticsearch Operator
- 5.5.4
Issue
- Once Kibana session is timed out after 15 minutes, re-login into Kibana dashboard after updating Red Hat Logging and Elasticsearch Operator to 5.5.4 and setting
tokenConfig: accessTokenInactivityTimeout: 15m0sin the OIDC configuration, gives below error.
{"statusCode":401,"error":"Unauthorized","message":"Authentication Exception"}
Resolution
- This issue is known to Red Hat and currently fixed in 5.5.5 and backported to 5.4.9 versions. To include the fix please update the Red Hat Logging and Elasticsearch Operator.
Root Cause
The presence of the _oauth_proxy cookie in kibana-openshift-logging.apps.<cluster> domain to reconnect is causing the problem, and manual deletion from browser solved the issue.
In Authentication logs, the following is found while the issue is reproducible:
2022-08-31T11:35:06.466087027Z E0831 11:35:06.465997 1 access.go:136] osin: error=unauthorized_client, internal_error=<nil> auth_code_request=authorization data is nil
Diagnostic Steps
- To check
accessTokenInactivityTimeoutvalue:
$ oc get oauth cluster -o yaml
- To collect all needed logs:
$ oc adm inspect co/authentication
$ oc adm inspect ns/openshift-logging ns/openshift-monitoring
$ oc get oauthclient -A -o yaml
$ oc get authentication -o yaml
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments