elasticsearch-HQ icon indicating copy to clipboard operation
elasticsearch-HQ copied to clipboard

Published 20 hours ago verified publisher icon ElasticHQ

Elastic-HQ grant access to Elasticsearch other users without authorization if one user was authorized

Open svk-28 opened this issue 3 years ago • 0 comments

General information

  • OS Platform and Distribution (e.g., Linux Ubuntu 16.04): CentOS Linux release 7.8.2003 (Core)
  • ElasticHQ Version: elastichq/elasticsearch-hq:latest
  • Elasticsearch Version: opendistro-for-elasticsearch:1.9.0
  • Python version (ignore is using docker image):
  • Browser Vendor and Version (if applicable): FireFox, Chrome, Edge

The system is running in docker. User access is via https. for this purpose, elastic-hq is located behind nginx. Elasticsearch used LDAP authentication and authorization

Issue Description

There was a problem with access to the Elasticsearch cluster: if one user was authorized in ES via Elastic-HQ, then other users (from different work station) who selected the desired cluster in the dialog get access to Elasticsearch without authorization.

Source Code / Logs

docker-compose nginx: image: nginx container_name: nginx env_file: - .env restart: always ports: - 443:443 environment: - NGINX_HOST=${NGINX_HOST} volumes: - ./nginx/templates:/etc/nginx/templates - ./ssl/cert.pem:/etc/nginx/certs/nginx-selfsigned.pem:ro - ./ssl/client.key:/etc/nginx/certs/nginx-selfsigned.key:ro networks: - odfe-net elastic-hq: image: elastichq/elasticsearch-hq container_name: elastic-hq restart: always environment: - HQ_CA_CERTS=/src/ca.pem - CLIENT_KEY=/src/client.key - CLIENT_CERT=/src/client.pem - HQ_ENABLE_SSL=True - HQ_VERIFY_CERTS=False - HQ_DEFAULT_URL=https://odfe-node1:9200 volumes: - ./ssl/MyRootCA.pem:/src/ca.pem:ro - ./ssl/crert.pem:/src/client.pem:ro - ./ssl/client.key:/src/client.key:ro networks: - odfe-net depends_on: - nginx

nginx.conf.template server { listen 443 ssl; server_name ${NGINX_HOST}; client_max_body_size 100M; ssl_certificate /etc/nginx/certs/nginx-selfsigned.pem; ssl_certificate_key /etc/nginx/certs/nginx-selfsigned.key;

location / { proxy_pass http://elastic-hq:5000; # proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } }

svk-28 avatar Dec 02 '20 07:12 svk-28