elasticsearch-HQ
elasticsearch-HQ copied to clipboard
Elastic-HQ grant access to Elasticsearch other users without authorization if one user was authorized
General information
- OS Platform and Distribution (e.g., Linux Ubuntu 16.04): CentOS Linux release 7.8.2003 (Core)
- ElasticHQ Version: elastichq/elasticsearch-hq:latest
- Elasticsearch Version: opendistro-for-elasticsearch:1.9.0
- Python version (ignore is using docker image):
- Browser Vendor and Version (if applicable): FireFox, Chrome, Edge
The system is running in docker. User access is via https. for this purpose, elastic-hq is located behind nginx. Elasticsearch used LDAP authentication and authorization
Issue Description
There was a problem with access to the Elasticsearch cluster: if one user was authorized in ES via Elastic-HQ, then other users (from different work station) who selected the desired cluster in the dialog get access to Elasticsearch without authorization.
Source Code / Logs
docker-compose nginx: image: nginx container_name: nginx env_file: - .env restart: always ports: - 443:443 environment: - NGINX_HOST=${NGINX_HOST} volumes: - ./nginx/templates:/etc/nginx/templates - ./ssl/cert.pem:/etc/nginx/certs/nginx-selfsigned.pem:ro - ./ssl/client.key:/etc/nginx/certs/nginx-selfsigned.key:ro networks: - odfe-net elastic-hq: image: elastichq/elasticsearch-hq container_name: elastic-hq restart: always environment: - HQ_CA_CERTS=/src/ca.pem - CLIENT_KEY=/src/client.key - CLIENT_CERT=/src/client.pem - HQ_ENABLE_SSL=True - HQ_VERIFY_CERTS=False - HQ_DEFAULT_URL=https://odfe-node1:9200 volumes: - ./ssl/MyRootCA.pem:/src/ca.pem:ro - ./ssl/crert.pem:/src/client.pem:ro - ./ssl/client.key:/src/client.key:ro networks: - odfe-net depends_on: - nginx
nginx.conf.template server { listen 443 ssl; server_name ${NGINX_HOST}; client_max_body_size 100M; ssl_certificate /etc/nginx/certs/nginx-selfsigned.pem; ssl_certificate_key /etc/nginx/certs/nginx-selfsigned.key;
location / { proxy_pass http://elastic-hq:5000; # proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } }