Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Kibana access RO users #131

Open
sirdrug opened this issue Nov 1, 2022 · 12 comments
Open

Kibana access RO users #131

sirdrug opened this issue Nov 1, 2022 · 12 comments

Comments

@sirdrug
Copy link

sirdrug commented Nov 1, 2022

Hi! We use ELK 8.4.3 and enterprise version of plugin! When users from RO group try to do anything, for example go to discover tab after login, they logout!!! :(
In audit events i se that user try to /write/_bulk, update, and some _get actions, for example indices:data/write/bulk in index readonlyrest_audit-2022-11-01, but get FORBIDDEN

@sscarduzio
Copy link
Contributor

Hello @sirdrug we'd need to see your YAML to inspect the ACL in order to reproduce the issue. Please send us your sanitised YAML, or even better, the minimal form of ACL that reproduces the bug.

If you are not confident with sharing in public, please email support at readonlyrest dot com.

Actually, the best way would be to log in the cusotmer portal and open a ticket from there (it's managed via the forum). So we keep track this as a priority support case on the name of your company.

@sirdrug
Copy link
Author

sirdrug commented Nov 1, 2022

From customer portal i get redirect to forum, but with our email we take message like in the picture
2022-11-01_16-34-37
2022-11-01_16-33-32

@sirdrug
Copy link
Author

sirdrug commented Nov 1, 2022

2022-11-01_16-23-46
Config in screenshot work perfect before update

@sirdrug
Copy link
Author

sirdrug commented Nov 1, 2022

Plugin try to write and update under user RO

@sscarduzio
Copy link
Contributor

sscarduzio commented Nov 1, 2022

Yes our support tickets are an automation over the forum private messages API. Just login in the forum as the same email (or create a new forum account with that email) and describe the issue.

@Dzuming do you require any extra information to investigate on this?

@Dzuming
Copy link
Collaborator

Dzuming commented Nov 2, 2022

Hello, @sirdrug I'm trying to reproduce this issue, Could you provide kibana and es logs with the debug level?

@sirdrug
Copy link
Author

sirdrug commented Nov 2, 2022

Cluster in production for debug mode i need to reboot, this is impossible. When user go to discover tab then logout!
In audit logs it the same time write & update action on index, but kibana access: RO users take FORBIDDEN

@sscarduzio
Copy link
Contributor

sscarduzio commented Nov 2, 2022

@sirdrug we are getting the forbidden, but in our experience with the latest version or ROR, we can't reproduce the logout effect. 🤔 Can you share what version of ROR are you using? Also, please send us kibana.yml and readonlyrest.yml (full ACL). You can use support at readonlyrest dot com Email if you prefer.

EDIT: please have a look at the browser developer tools: see "Console", click "preserve logs", and repeat the test. Can you see any interesting logs? Or stack traces?

@sirdrug
Copy link
Author

sirdrug commented Nov 10, 2022

{
"_index": "readonlyrest_audit-2022-11-10",
"_id": "1437276912-1270873560#4672461",
"_version": 1,
"_score": 0,
"_ignored": [
"acl_history.keyword"
],
"_source": {
"headers": [
"tracestate",
"x-ror-correlation-id",
"accept",
"x-elastic-product-origin",
"user-agent",
"x-opaque-id",
"content-length",
"traceparent",
"elastic-apm-traceparent",
"x-ror-kibana-request-method",
"x-elastic-client-meta",
"content-type",
"Accept-Charset",
"connection",
"x-ror-kibana-request-path",
"x-ror-current-group",
"Authorization",
"Host",
"x-forwarded-for"
],
"acl_history": "[Kibana-> RULES:[auth_key_sha256->false] RESOLVED:[group=_G Kibana_Test_RO;indices=.kibana]], [Admin-> RULES:[auth_key_sha256->false] RESOLVED:[group=_G Kibana_Test_RO;indices=.kibana]], [Test users RO-> RULES:[ldap_authentication->true, ldap_authorization->true, kibana_hide_apps->true, kibana_access->false] RESOLVED:[user=testuser;group=_G Kibana_Test_RO;av_groups=_G Kibana_Test_RO;indices=.kibana]], [Test users RW-> RULES:[ldap_authentication->true, ldap_authorization->false] RESOLVED:[user=testuser;group=_G Kibana_Test_RO;indices=.kibana]]",
"origin": "192.168.1.1/32",
"match": false,
"final_state": "FORBIDDEN",
"destination": "192.168.1.1/32",
"task_id": 4672461,
"type": "BulkRequest",
"req_method": "POST",
"path": "/_bulk",
"indices": [],
"@timestamp": "2022-11-10T09:33:37Z",
"content_len_kb": 0,
"correlation_id": "67c2a3fa-fdd1-4175-a3cc-a346779e6ba9",
"processingMillis": 2,
"xff": "1.1.1.1",
"action": "indices:data/write/bulk",
"block": "default",
"id": "1437276912-1270873560#4672461",
"content_len": 706,
"user": "testuser"
}

@sirdrug
Copy link
Author

sirdrug commented Nov 10, 2022

and this
Request URL: https://testurl/s/default/api/saved_objects/_bulk_resolve
Request Method: POST
Status Code: 401

@sscarduzio
Copy link
Contributor

Thank you @sirdrug for the extra data, it will be useful.

In the meantime, @Dzuming spent some time on this and found quite a few extra edge cases. In the new release. Soon we can give you a new build to test for sure.

@sirdrug
Copy link
Author

sirdrug commented Nov 10, 2022

erver.port: 5601
server.host: 192.168.1.1
server.name: test
elasticsearch.hosts: [ "https://192.168.1.1:9200/"]
elasticsearch.username: ""
elasticsearch.password: "
"
elasticsearch.requestTimeout: 9000000
xpack.reporting.enabled: false
elasticsearch.ssl.verificationMode: none
logging:
appenders:
file:
type: file
fileName: /var/log/kibana/kibana.log
layout:
type: json
root:
appenders:
- default
- file
pid.file: /run/kibana/kibana.pid
readonlyrest_kbn.whitelistedPaths: ["./api/status$"]
readonlyrest_kbn.sessions_refresh_after: 9000
readonlyrest_kbn.sessions_probe_interval_seconds: 300
readonlyrest_kbn.sessions_index_name: ".new_sessions"
readonlyrest_kbn.session_timeout_minutes: 9000 # defaults to 4320 (3 days)
readonlyrest_kbn.clearSessionOnEvents: ["never"]
readonlyrest_kbn.cookiePass: "
**"
readonlyrest_kbn.store_sessions_in_index: true

plugin version
readonlyrest_kbn_universal-1.44.0_es8.4.3

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants