elasticsearch-readonlyrest-plugin
elasticsearch-readonlyrest-plugin copied to clipboard
Dev tool can't work.
Hi, below is my readonlyrest.yml. I have a problem that when the user login, and use the Dev tool to query. Every time even it matches documents the return data is 0.
I am sure there are some documents matches, but Dev tool didn't return everything.
readonlyrest:
enable: true
response_if_req_forbidden: Sorry, your request is forbidden.
access_control_rules:
- name: Basic Kibana Access
type: allow
kibana_access: ro
indices: [".kibana_@{X-Forwarded-User}"]
groups: ["basicKibanaAccess"]
actions: ["*"]
- name: template filter
type: allow
kibana_access: ro_strict
indices: [".kibana_template"]
groups: ["template_filter"]
- name: "Alex login intercept reads and filter"
groups: ["user1group"]
filter: "{\"bool\": { \"should\": [ { \"match\":{\"IPV4_DST_ADDR\":\"192.168.0.0/16\"} }, { \"match\":{\"IPV4_SRC_ADDR\":\"192.168.0.0/16\"} } ], \"minimum_should_match\": 1 }}"
- name: "test1 login intercept reads and filter"
groups: ["user2group"]
- name: "howard login intercept reads and filter"
groups: ["user3group"]
filter: "{\"bool\": { \"should\": [ { \"match\":{\"IPV4_DST_ADDR\":\"163.19.0.0/16\"} }, { \"match\":{\"IPV4_SRC_ADDR\":\"163.19.0.0/16\"} } ], \"minimum_should_match\": 1 }}"
- name: User1 login (all the rest)
type: allow
indices: ["logstash-*",".kibana_@{X-Forwarded-User}"]
- name: "::KIBANA-SRV::"
type: allow
auth_key: kibana:kibana
users:
- username: alex
proxy_auth: "alex"
groups: ["user1group","basicKibanaAccess","template_filter"]
- username: test1
proxy_auth: "test1"
groups: ["user2group","basicKibanaAccess","template_filter"]
thank you in advance!
Have you seen the ES logs to see what credentials are being used when the request hits ES?
Hi, @sscarduzio thanks for your reply.
elasticsearch log:
SEARCH REQUEST WILL DISABLE CACHE
[2018-07-20T11:01:18,840][INFO ][t.b.r.a.ACL ] ALLOWED by { name: 'Basic Kibana Access', policy: ALLOW} req={ ID:1213745643-424223019#20986, TYP:SearchRequest, CGR:N/A, USR:alex, BRS:false, KDX:null, ACT:indices:data/read/search, OA:163.19.163.239, DA:163.19.163.239, IDX:.kibana_alex, MET:POST, PTH:/_search, CNT:<OMITTED, LENGTH=1296>, HDR:{connection=close, Content-Length=1296, content-type=application/json, cookie=nginxauth=YWxleDphbGV4; xuser=alex; own-home-session=Fe26.2**07999aec17b8823a92678d7297915ab71bd2960f969a010700d8420675b76abf*_uYzwdPbwG81L9LrJo7sCg*P0F9BZUO7xXhqcyOiMRN6pCMxCXFYZSnTWmy5-Z-qJQyKzC7ySQBTbDcstmQk6HK3-p7qUfaiYwbca4Bdds9wXmzjO1Lc5R7noKuLnmhPcg3Fjd_1CrrUW9laLo1UqJp**6a5e6c5b409d5d928b3ca14f37218af99742025d6d8902692a267ac869dd24bd*YgSifu7rzP7bhQc29lg48V8M441MhQrhs_aNwT4A3vg, host=localhost:19200, x-forwarded-for=127.0.0.1,127.0.0.1, x-forwarded-host=localhost:5601, x-forwarded-port=48744,53484, x-forwarded-proto=http,http, x-forwarded-user=alex}, HIS:[Basic Kibana Access->[kibana_access->true, indices->true, proxy_auth->true, actions->true]] }
I think the problem is this log:
SEARCH REQUEST WILL DISABLE CACHE
How could I solve the problem : (
thank you in advance!
wait, how is that log line the problem?
your query is matching Basic Kibana Access
block, which only can see one index
indices: [".kibana_@{X-Forwarded-User}"]
it is expected that returns no result, as that index does not contain any document that match such query.
sorry, I don't very understand the rule. In this block alex user could fetch "logstash-*" index isn't it?
- name: User1 login (all the rest)
type: allow
indices: ["logstash-*",".kibana_@{X-Forwarded-User}"]
Is it possible to let alex user query in dev tool and also filter the document such as above?
Of course. You can put the block with filter rule higher in your ACL, so the request matches it before having time to evaluate the others.
Sorry could you give me some hints : ( Do you mean move the block up, but it looks can'k work correctly.
readonlyrest:
enable: true
response_if_req_forbidden: Sorry, your request is forbidden.
access_control_rules:
- name: "Alex login intercept reads and filter"
groups: ["user1group"]
filter: "{\"bool\": { \"should\": [ { \"match\":{\"IPV4_DST_ADDR\":\"192.168.0.0/16\"} }, { \"match\":{\"IPV4_SRC_ADDR\":\"192.168.0.0/16\"} } ], \"minimum_should_match\": 1 }}"
- name: Basic Kibana Access
type: allow
kibana_access: ro
indices: [".kibana_@{X-Forwarded-User}",".kibana_template"]
groups: ["basicKibanaAccess"]
actions: ["*"]
- name: "test1 login intercept reads and filter"
groups: ["user2group"]
- name: User1 login (all the rest)
type: allow
indices: ["logstash-*",".kibana_@{X-Forwarded-User}"]
- name: "::KIBANA-SRV::"
type: allow
auth_key: kibana:kibana
users:
- username: alex
proxy_auth: "alex"
groups: ["user1group","basicKibanaAccess"]
- username: test1
proxy_auth: "test1"
groups: ["user2group","basicKibanaAccess"]
this is fixed