readonlyrest-docs icon indicating copy to clipboard operation
readonlyrest-docs copied to clipboard

Published 20 hours ago verified publisher icon beshu-tech

Kibana access RO users

Open sirdrug opened this issue 1 year ago • 12 comments

Hi! We use ELK 8.4.3 and enterprise version of plugin! When users from RO group try to do anything, for example go to discover tab after login, they logout!!! :( In audit events i se that user try to /write/_bulk, update, and some _get actions, for example indices:data/write/bulk in index readonlyrest_audit-2022-11-01, but get FORBIDDEN

sirdrug avatar Nov 01 '22 09:11 sirdrug

Hello @sirdrug we'd need to see your YAML to inspect the ACL in order to reproduce the issue. Please send us your sanitised YAML, or even better, the minimal form of ACL that reproduces the bug.

If you are not confident with sharing in public, please email support at readonlyrest dot com.

Actually, the best way would be to log in the cusotmer portal and open a ticket from there (it's managed via the forum). So we keep track this as a priority support case on the name of your company.

sscarduzio avatar Nov 01 '22 10:11 sscarduzio

From customer portal i get redirect to forum, but with our email we take message like in the picture 2022-11-01_16-34-37 2022-11-01_16-33-32

sirdrug avatar Nov 01 '22 14:11 sirdrug

2022-11-01_16-23-46 Config in screenshot work perfect before update

sirdrug avatar Nov 01 '22 14:11 sirdrug

Plugin try to write and update under user RO

sirdrug avatar Nov 01 '22 14:11 sirdrug

Yes our support tickets are an automation over the forum private messages API. Just login in the forum as the same email (or create a new forum account with that email) and describe the issue.

@Dzuming do you require any extra information to investigate on this?

sscarduzio avatar Nov 01 '22 15:11 sscarduzio

Hello, @sirdrug I'm trying to reproduce this issue, Could you provide kibana and es logs with the debug level?

Dzuming avatar Nov 02 '22 05:11 Dzuming

Cluster in production for debug mode i need to reboot, this is impossible. When user go to discover tab then logout! In audit logs it the same time write & update action on index, but kibana access: RO users take FORBIDDEN

sirdrug avatar Nov 02 '22 07:11 sirdrug

@sirdrug we are getting the forbidden, but in our experience with the latest version or ROR, we can't reproduce the logout effect. 🤔 Can you share what version of ROR are you using? Also, please send us kibana.yml and readonlyrest.yml (full ACL). You can use support at readonlyrest dot com Email if you prefer.

EDIT: please have a look at the browser developer tools: see "Console", click "preserve logs", and repeat the test. Can you see any interesting logs? Or stack traces?

sscarduzio avatar Nov 02 '22 15:11 sscarduzio

{ "_index": "readonlyrest_audit-2022-11-10", "_id": "1437276912-1270873560#4672461", "_version": 1, "_score": 0, "_ignored": [ "acl_history.keyword" ], "_source": { "headers": [ "tracestate", "x-ror-correlation-id", "accept", "x-elastic-product-origin", "user-agent", "x-opaque-id", "content-length", "traceparent", "elastic-apm-traceparent", "x-ror-kibana-request-method", "x-elastic-client-meta", "content-type", "Accept-Charset", "connection", "x-ror-kibana-request-path", "x-ror-current-group", "Authorization", "Host", "x-forwarded-for" ], "acl_history": "[Kibana-> RULES:[auth_key_sha256->false] RESOLVED:[group=_G Kibana_Test_RO;indices=.kibana]], [Admin-> RULES:[auth_key_sha256->false] RESOLVED:[group=_G Kibana_Test_RO;indices=.kibana]], [Test users RO-> RULES:[ldap_authentication->true, ldap_authorization->true, kibana_hide_apps->true, kibana_access->false] RESOLVED:[user=testuser;group=_G Kibana_Test_RO;av_groups=_G Kibana_Test_RO;indices=.kibana]], [Test users RW-> RULES:[ldap_authentication->true, ldap_authorization->false] RESOLVED:[user=testuser;group=_G Kibana_Test_RO;indices=.kibana]]", "origin": "192.168.1.1/32", "match": false, "final_state": "FORBIDDEN", "destination": "192.168.1.1/32", "task_id": 4672461, "type": "BulkRequest", "req_method": "POST", "path": "/_bulk", "indices": [], "@timestamp": "2022-11-10T09:33:37Z", "content_len_kb": 0, "correlation_id": "67c2a3fa-fdd1-4175-a3cc-a346779e6ba9", "processingMillis": 2, "xff": "1.1.1.1", "action": "indices:data/write/bulk", "block": "default", "id": "1437276912-1270873560#4672461", "content_len": 706, "user": "testuser" }

sirdrug avatar Nov 10 '22 10:11 sirdrug

and this Request URL: https://testurl/s/default/api/saved_objects/_bulk_resolve Request Method: POST Status Code: 401

sirdrug avatar Nov 10 '22 10:11 sirdrug

Thank you @sirdrug for the extra data, it will be useful.

In the meantime, @Dzuming spent some time on this and found quite a few extra edge cases. In the new release. Soon we can give you a new build to test for sure.

sscarduzio avatar Nov 10 '22 10:11 sscarduzio

erver.port: 5601 server.host: 192.168.1.1 server.name: test elasticsearch.hosts: [ "https://192.168.1.1:9200/"] elasticsearch.username: "" elasticsearch.password: "" elasticsearch.requestTimeout: 9000000 xpack.reporting.enabled: false elasticsearch.ssl.verificationMode: none logging: appenders: file: type: file fileName: /var/log/kibana/kibana.log layout: type: json root: appenders: - default - file pid.file: /run/kibana/kibana.pid readonlyrest_kbn.whitelistedPaths: ["./api/status$"] readonlyrest_kbn.sessions_refresh_after: 9000 readonlyrest_kbn.sessions_probe_interval_seconds: 300 readonlyrest_kbn.sessions_index_name: ".new_sessions" readonlyrest_kbn.session_timeout_minutes: 9000 # defaults to 4320 (3 days) readonlyrest_kbn.clearSessionOnEvents: ["never"] readonlyrest_kbn.cookiePass: "**" readonlyrest_kbn.store_sessions_in_index: true

plugin version readonlyrest_kbn_universal-1.44.0_es8.4.3

sirdrug avatar Nov 10 '22 11:11 sirdrug