<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0">
<base href="https://issues.jboss.org">
<title>Message Title</title>
</head>
<body class="jira" style="color: #333333; font-family: Arial, sans-serif; font-size: 14px; line-height: 1.429">
<table id="background-table" cellpadding="0" cellspacing="0" width="100%" style="border-collapse: collapse; mso-table-lspace: 0pt; mso-table-rspace: 0pt; background-color: #f5f5f5; border-collapse: collapse; mso-table-lspace: 0pt; mso-table-rspace: 0pt" bgcolor="#f5f5f5">
<!-- header here -->
<tbody>
<tr>
<td id="header-pattern-container" style="padding: 0px; border-collapse: collapse; padding: 10px 20px">
<table id="header-pattern" cellspacing="0" cellpadding="0" border="0" style="border-collapse: collapse; mso-table-lspace: 0pt; mso-table-rspace: 0pt">
<tbody>
<tr>
<td id="header-avatar-image-container" valign="top" style="padding: 0px; border-collapse: collapse; vertical-align: top; width: 32px; padding-right: 8px" width="32"> <img id="header-avatar-image" class="image_fix" src="https://static.jboss.org/developer/gravatar/a13557d1743f0fc4995cc122154945ad?d=mm&s=48" height="32" width="32" border="0" style="border-radius: 3px; vertical-align: top"> </td>
<td id="header-text-container" valign="middle" style="padding: 0px; border-collapse: collapse; vertical-align: middle; font-family: Arial, sans-serif; font-size: 14px; line-height: 20px; mso-line-height-rule: exactly; mso-text-raise: 1px"> <a class="user-hover" rel="weil" id="email_weil" href="https://issues.jboss.org/secure/ViewProfile.jspa?name=weil" style="color:#0052cc;; color: #3b73af; text-decoration: none">Wei Li</a> <strong>commented</strong> on <a href="https://issues.jboss.org/browse/AEROGEAR-8076" style="color: #3b73af; text-decoration: none"><img src="cid:jira-generated-image-avatar-a846ed40-805c-459b-893a-9d320c66c366" height="16" width="16" border="0" align="absmiddle" alt="Task"> AEROGEAR-8076</a> </td>
</tr>
</tbody>
</table> </td>
</tr>
<tr>
<td id="email-content-container" style="padding: 0px; border-collapse: collapse; padding: 0 20px">
<table id="email-content-table" cellspacing="0" cellpadding="0" border="0" width="100%" style="border-collapse: collapse; mso-table-lspace: 0pt; mso-table-rspace: 0pt; border-spacing: 0; border-collapse: separate">
<tbody>
<tr>
<!-- there needs to be content in the cell for it to render in some clients -->
<td class="email-content-rounded-top mobile-expand" style="padding: 0px; border-collapse: collapse; color: #ffffff; padding: 0 15px 0 16px; height: 15px; background-color: #ffffff; border-left: 1px solid #cccccc; border-top: 1px solid #cccccc; border-right: 1px solid #cccccc; border-bottom: 0; border-top-right-radius: 5px; border-top-left-radius: 5px; height: 10px; line-height: 10px; padding: 0 15px 0 16px; mso-line-height-rule: exactly" height="10" bgcolor="#ffffff"> </td>
</tr>
<tr>
<td class="email-content-main mobile-expand " style="padding: 0px; border-collapse: collapse; border-left: 1px solid #cccccc; border-right: 1px solid #cccccc; border-top: 0; border-bottom: 0; padding: 0 15px 0 16px; background-color: #ffffff" bgcolor="#ffffff">
<table class="page-title-pattern" cellspacing="0" cellpadding="0" border="0" width="100%" style="border-collapse: collapse; mso-table-lspace: 0pt; mso-table-rspace: 0pt">
<tbody>
<tr>
<td style="vertical-align: top;; padding: 0px; border-collapse: collapse; padding-right: 5px; font-size: 20px; line-height: 30px; mso-line-height-rule: exactly" class="page-title-pattern-header-container"> <span class="page-title-pattern-header" style="font-family: Arial, sans-serif; padding: 0; font-size: 20px; line-height: 30px; mso-text-raise: 2px; mso-line-height-rule: exactly; vertical-align: middle"> <a href="https://issues.jboss.org/browse/AEROGEAR-8076" style="color: #3b73af; text-decoration: none">Re: Spike: make ES and Kibana calls within an operator vs APB</a> </span> </td>
</tr>
</tbody>
</table> </td>
</tr>
<tr>
<td id="text-paragraph-pattern-top" class="email-content-main mobile-expand comment-top-pattern" style="padding: 0px; border-collapse: collapse; border-left: 1px solid #cccccc; border-right: 1px solid #cccccc; border-top: 0; border-bottom: 0; padding: 0 15px 0 16px; background-color: #ffffff; border-bottom: none; padding-bottom: 0" bgcolor="#ffffff">
<table class="text-paragraph-pattern" cellspacing="0" cellpadding="0" border="0" width="100%" style="border-collapse: collapse; mso-table-lspace: 0pt; mso-table-rspace: 0pt; font-family: Arial, sans-serif; font-size: 14px; line-height: 20px; mso-line-height-rule: exactly; mso-text-raise: 2px">
<tbody>
<tr>
<td class="text-paragraph-pattern-container mobile-resize-text " style="padding: 0px; border-collapse: collapse; padding: 0 0 10px 0"> <p style="margin: 10px 0 0 0; margin-top: 0">I have provisioned a 3.11 cluster in RHPDS and playaround the EFK feature, and here are my findings:</p> <p style="margin: 10px 0 0 0">1. In 3.11, the EFK stack is available by default. Fluentd will collect the outputs to stdout of all the pods and forward them to elasticsearch.<br> 2. The EFK stack is secured by the oauth proxy and it does support multi-tenancy as well, but it only supports 2 types of users: admin user or app users. Admin users can see all the indies of all the namespaces, and the app users can see the indies of the namespaces that they have access to.<br> 3. I logged in as a normal developer user1, and provisioned sync service and generated some audit logs. I can only see the kibana index for my own namespace. I created some queries, visualisations and dashboards, and saved them. I then logged in as a different developer user who also has access to the same namespace. This time I can still see the same index, but there are no saved queries, visualisations and dashboards.<br> 4. From what I have gathered, it looks like the EFK stack did use the SearchGuard <span class="error">[1]</span> plugin to implement the multi-tenant feature. However, it looks like they are only using the default configuration: each user has 2 default tenants: global or private. The global tenant allows to share save dashboards across all the users, while private tenant allows each user to have their own dashboards. The global tenant is not a good fit for our purpose: not all the users will need to access the sync service dashboards.<br> 5. It is possible to add dashboards to a user programatically. However, this can only be done after the user login to the Kibana UI at least once. Because the Kibana UI is protected by the openshift oauth proxy, upon the first time login, the user will be asked to give permission to allow Kibana to access their user info on OpenShift. I am not sure if there is a way to perform the login programatically. But even if it's possible, I don't think we should do it. We also need to know the user's username to perform the operation of adding dashboards or queries to the user's kibana.</p> <p style="margin: 10px 0 0 0">From all this information, I don't think APB is a good fit to us. The reasons are:</p> <p style="margin: 10px 0 0 0">1. There is nothing needs to be provisioned by us, really. The EFK stack will be available by default in 3.11, and if it's not available, we should not try to provision it as it is quite complicated to do. We also thought about creating a managed service broker for the EFK service, which doesn't really do anything, but just create a route in the project so that users will be able to see the kibana URL. But after chatting with <a href="https://issues.jboss.org/secure/ViewProfile.jspa?name=craig.brookes" class="user-hover" rel="craig.brookes" style="color: #3b73af; text-decoration: none">Craig Brookes</a>, he thinks this doesn't add too much value, it is more of a hack rather than a solution. Plus we are going to show the URL in the sync UI (we should be able to get the url of the logging service somehow by looking at how the `View Archive` button is generated).<br> 2. There is also no binging required. All the logs to stdout are automatically forwarded to EFK.</p> <p style="margin: 10px 0 0 0">So if we want to automate the setup of the default dashboards, we should look at creating an operator for that. However, given that users will have to login to the Kibana at least once, it's is reasonable if we provide the template json files through the sync UI, and give user instructions on how to import them to Kibana. I think this should be our first step, and could be enough to meet the requirements for tech preview.</p> <p style="margin: 10px 0 0 0">If we have more time, and if there are some better ways to automate this, we can look at implement the operator to automate the process. This should be the next step.</p> <p style="margin: 10px 0 0 0"><span class="error">[1]</span> <a href="https://docs.search-guard.com/v5/kibana-multi-tenancy" class="external-link" rel="nofollow" style="color: #3b73af; text-decoration: none">https://docs.search-guard.com/v5/kibana-multi-tenancy</a> </p> </td>
</tr>
</tbody>
</table> </td>
</tr>
<tr>
<td class="email-content-main mobile-expand " style="padding: 0px; border-collapse: collapse; border-left: 1px solid #cccccc; border-right: 1px solid #cccccc; border-top: 0; border-bottom: 0; padding: 0 15px 0 16px; background-color: #ffffff" bgcolor="#ffffff">
<table id="actions-pattern" cellspacing="0" cellpadding="0" border="0" width="100%" style="border-collapse: collapse; mso-table-lspace: 0pt; mso-table-rspace: 0pt; font-family: Arial, sans-serif; font-size: 14px; line-height: 20px; mso-line-height-rule: exactly; mso-text-raise: 1px">
<tbody>
<tr>
<td id="actions-pattern-container" valign="middle" style="padding: 0px; border-collapse: collapse; padding: 10px 0 10px 24px; vertical-align: middle; padding-left: 0">
<table align="left" style="border-collapse: collapse; mso-table-lspace: 0pt; mso-table-rspace: 0pt">
<tbody>
<tr>
<td class="actions-pattern-action-icon-container" style="padding: 0px; border-collapse: collapse; font-family: Arial, sans-serif; font-size: 14px; line-height: 20px; mso-line-height-rule: exactly; mso-text-raise: 0; vertical-align: middle"> <a href="https://issues.jboss.org/browse/AEROGEAR-8076#add-comment" target="_blank" title="Add Comment" style="color: #3b73af; text-decoration: none"> <img class="actions-pattern-action-icon-image" src="cid:jira-generated-image-static-comment-icon-83e1d6b8-583f-47d7-98de-76a7b0927bce" alt="Add Comment" title="Add Comment" height="16" width="16" border="0" style="vertical-align: middle"> </a> </td>
<td class="actions-pattern-action-text-container" style="padding: 0px; border-collapse: collapse; font-family: Arial, sans-serif; font-size: 14px; line-height: 20px; mso-line-height-rule: exactly; mso-text-raise: 4px; padding-left: 5px"> <a href="https://issues.jboss.org/browse/AEROGEAR-8076#add-comment" target="_blank" title="Add Comment" style="color: #3b73af; text-decoration: none">Add Comment</a> </td>
</tr>
</tbody>
</table> </td>
</tr>
</tbody>
</table> </td>
</tr>
<!-- there needs to be content in the cell for it to render in some clients -->
<tr>
<td class="email-content-rounded-bottom mobile-expand" style="padding: 0px; border-collapse: collapse; color: #ffffff; padding: 0 15px 0 16px; height: 5px; line-height: 5px; background-color: #ffffff; border-top: 0; border-left: 1px solid #cccccc; border-bottom: 1px solid #cccccc; border-right: 1px solid #cccccc; border-bottom-right-radius: 5px; border-bottom-left-radius: 5px; mso-line-height-rule: exactly" height="5" bgcolor="#ffffff"> </td>
</tr>
</tbody>
</table> </td>
</tr>
<tr>
<td id="footer-pattern" style="padding: 0px; border-collapse: collapse; padding: 12px 20px">
<table id="footer-pattern-container" cellspacing="0" cellpadding="0" border="0" style="border-collapse: collapse; mso-table-lspace: 0pt; mso-table-rspace: 0pt">
<tbody>
<tr>
<td id="footer-pattern-text" class="mobile-resize-text" width="100%" style="padding: 0px; border-collapse: collapse; color: #999999; font-size: 12px; line-height: 18px; font-family: Arial, sans-serif; mso-line-height-rule: exactly; mso-text-raise: 2px"> This message was sent by Atlassian Jira <span id="footer-build-information">(v7.12.1#712002-<span title="609a50578ba6bc73dbf8b05dddd7c04a04b6807c" data-commit-id="609a50578ba6bc73dbf8b05dddd7c04a04b6807c}">sha1:609a505</span>)</span> </td>
<td id="footer-pattern-logo-desktop-container" valign="top" style="padding: 0px; border-collapse: collapse; padding-left: 20px; vertical-align: top">
<table style="border-collapse: collapse; mso-table-lspace: 0pt; mso-table-rspace: 0pt">
<tbody>
<tr>
<td id="footer-pattern-logo-desktop-padding" style="padding: 0px; border-collapse: collapse; padding-top: 3px"> <img id="footer-pattern-logo-desktop" src="https://issues.jboss.org/images/mail/atlassian-email-logo.png" alt="Atlassian logo" title="Atlassian logo" width="191" height="24" class="image_fix"> </td>
</tr>
</tbody>
</table> </td>
</tr>
</tbody>
</table> </td>
</tr>
</tbody>
</table>
</body>
</html>