Updating install documentation and adding information on how to allow cluster-reader to view operations logs

ewolinetz · ewolinetz · commit 12f52aaa28fb · 2016-10-24T12:05:02.000-05:00
diff --git a/install_config/aggregate_logging.adoc b/install_config/aggregate_logging.adoc
@@ -136,6 +136,19 @@ $ oadm policy add-cluster-role-to-user cluster-reader \
 this service account.
 ====
 
+. Enable the Elasticsearch service account to get cluster role bindings so that
+it can verify the roles that a user belongs to for allowing access to operations
+logs:
++
+====
+----
+$ oadm policy add-cluster-role-to-user rolebinding-reader \
+     system:serviceaccount:logging:aggregated-logging-elasticsearch <1>
+----
+<1> Use the project you created earlier (for example, *logging*) when specifying
+this service account.
+====
+
 [[aggregate-logging-specifying-deployer-parameters]]
 == Specifying Deployer Parameters
 
@@ -671,6 +684,21 @@ each new one to deploy it:
 $ oc scale --replicas=1 dc/logging-es-<suffix>
 ----
 
+[[cluster-reader-operations]]
+*Allowing cluster-reader to view operations logs*
+
+By default, only cluster-admins are granted access in Elasticsearch and Kibana
+to view operations logs. To allow cluster-readers to also be able to view these
+logs, update the value of `openshift.operations.allow_cluster_reader` in the
+Elasticsearch configmap to be `true`:
+
+----
+$ oc edit configmap/logging-elasticsearch
+----
+
+Please note that changes to the configmap may not be picked up until the pods
+are redeployed.
+
 [[aggregated-fluentd]]
 === Fluentd
 
diff --git a/install_config/upgrading/manual_upgrades.adoc b/install_config/upgrading/manual_upgrades.adoc
@@ -1339,6 +1339,15 @@ $ oadm policy add-cluster-role-to-user oauth-editor \
        system:serviceaccount:logging:logging-deployer
 ----
 
+. Ensure that the cluster role `rolebinding-reader` is assigned to the
+*aggregated-logging-elasticsearch* service account where `logging` is the namespace
+where aggregated logging is installed:
++
+----
+$ oadm policy add-cluster-role-to-user rolebinding-reader \
+     system:serviceaccount:logging:aggregated-logging-elasticsearch
+----
+
 . In preparation for running the deployer, ensure that you have the configurations
 for your current deployment in the xref:../aggregate_logging.adoc#aggregate-logging-specifying-deployer-parameters[*logging-deployer* ConfigMap].
 +
