elasticsearch-readonlyrest-plugin icon indicating copy to clipboard operation
elasticsearch-readonlyrest-plugin copied to clipboard

Published 20 hours ago verified publisher icon sscarduzio

Dev tool can't work.

Open Howard-Chang opened this issue 5 years ago • 8 comments

Hi, below is my readonlyrest.yml. I have a problem that when the user login, and use the Dev tool to query. Every time even it matches documents the return data is 0. I am sure there are some documents matches, but Dev tool didn't return everything. image image

readonlyrest:
 enable: true
 response_if_req_forbidden: Sorry, your request is forbidden.
 access_control_rules:

- name: Basic Kibana Access
   type: allow
   kibana_access: ro
   indices: [".kibana_@{X-Forwarded-User}"]
   groups: ["basicKibanaAccess"]
   actions: ["*"]

 - name: template filter
   type: allow
   kibana_access: ro_strict
   indices: [".kibana_template"]
   groups: ["template_filter"]

 - name: "Alex login intercept reads and filter"
   groups: ["user1group"]
   filter: "{\"bool\": { \"should\": [ { \"match\":{\"IPV4_DST_ADDR\":\"192.168.0.0/16\"} }, { \"match\":{\"IPV4_SRC_ADDR\":\"192.168.0.0/16\"} }  ], \"minimum_should_match\": 1 }}"

 - name: "test1 login intercept reads and filter"
   groups: ["user2group"]
 - name: "howard login intercept reads and filter"
   groups: ["user3group"]
   filter: "{\"bool\": { \"should\": [ { \"match\":{\"IPV4_DST_ADDR\":\"163.19.0.0/16\"} }, { \"match\":{\"IPV4_SRC_ADDR\":\"163.19.0.0/16\"} }  ], \"minimum_should_match\": 1 }}"

 - name: User1 login (all the rest)
   type: allow
   indices: ["logstash-*",".kibana_@{X-Forwarded-User}"]

 - name: "::KIBANA-SRV::"
   type: allow
   auth_key: kibana:kibana

 users:
 - username: alex
   proxy_auth: "alex"
   groups: ["user1group","basicKibanaAccess","template_filter"]
 - username: test1
   proxy_auth: "test1"
   groups: ["user2group","basicKibanaAccess","template_filter"]

thank you in advance!

Howard-Chang avatar Jul 19 '18 07:07 Howard-Chang

Have you seen the ES logs to see what credentials are being used when the request hits ES?

sscarduzio avatar Jul 19 '18 07:07 sscarduzio

Hi, @sscarduzio thanks for your reply.

elasticsearch log:

SEARCH REQUEST WILL DISABLE CACHE
[2018-07-20T11:01:18,840][INFO ][t.b.r.a.ACL              ] ALLOWED by { name: 'Basic Kibana Access', policy: ALLOW} req={ ID:1213745643-424223019#20986, TYP:SearchRequest, CGR:N/A, USR:alex, BRS:false, KDX:null, ACT:indices:data/read/search, OA:163.19.163.239, DA:163.19.163.239, IDX:.kibana_alex, MET:POST, PTH:/_search, CNT:<OMITTED, LENGTH=1296>, HDR:{connection=close, Content-Length=1296, content-type=application/json, cookie=nginxauth=YWxleDphbGV4; xuser=alex; own-home-session=Fe26.2**07999aec17b8823a92678d7297915ab71bd2960f969a010700d8420675b76abf*_uYzwdPbwG81L9LrJo7sCg*P0F9BZUO7xXhqcyOiMRN6pCMxCXFYZSnTWmy5-Z-qJQyKzC7ySQBTbDcstmQk6HK3-p7qUfaiYwbca4Bdds9wXmzjO1Lc5R7noKuLnmhPcg3Fjd_1CrrUW9laLo1UqJp**6a5e6c5b409d5d928b3ca14f37218af99742025d6d8902692a267ac869dd24bd*YgSifu7rzP7bhQc29lg48V8M441MhQrhs_aNwT4A3vg, host=localhost:19200, x-forwarded-for=127.0.0.1,127.0.0.1, x-forwarded-host=localhost:5601, x-forwarded-port=48744,53484, x-forwarded-proto=http,http, x-forwarded-user=alex}, HIS:[Basic Kibana Access->[kibana_access->true, indices->true, proxy_auth->true, actions->true]] }

I think the problem is this log: SEARCH REQUEST WILL DISABLE CACHE

How could I solve the problem : (

thank you in advance!

Howard-Chang avatar Jul 20 '18 03:07 Howard-Chang

wait, how is that log line the problem?

sscarduzio avatar Jul 20 '18 14:07 sscarduzio

your query is matching Basic Kibana Access block, which only can see one index

   indices: [".kibana_@{X-Forwarded-User}"]

it is expected that returns no result, as that index does not contain any document that match such query.

sscarduzio avatar Jul 20 '18 14:07 sscarduzio

sorry, I don't very understand the rule. In this block alex user could fetch "logstash-*" index isn't it?

 - name: User1 login (all the rest)
   type: allow
   indices: ["logstash-*",".kibana_@{X-Forwarded-User}"]

Howard-Chang avatar Jul 21 '18 04:07 Howard-Chang

Is it possible to let alex user query in dev tool and also filter the document such as above?

Howard-Chang avatar Jul 21 '18 23:07 Howard-Chang

Of course. You can put the block with filter rule higher in your ACL, so the request matches it before having time to evaluate the others.

sscarduzio avatar Jul 22 '18 14:07 sscarduzio

Sorry could you give me some hints : ( Do you mean move the block up, but it looks can'k work correctly.

readonlyrest:
 enable: true
 response_if_req_forbidden: Sorry, your request is forbidden.
 access_control_rules:
 - name: "Alex login intercept reads and filter"
   groups: ["user1group"]
   filter: "{\"bool\": { \"should\": [ { \"match\":{\"IPV4_DST_ADDR\":\"192.168.0.0/16\"} }, { \"match\":{\"IPV4_SRC_ADDR\":\"192.168.0.0/16\"} }  ], \"minimum_should_match\": 1 }}"

 - name: Basic Kibana Access
   type: allow
   kibana_access: ro
   indices: [".kibana_@{X-Forwarded-User}",".kibana_template"]
   groups: ["basicKibanaAccess"]
   actions: ["*"]

 - name: "test1 login intercept reads and filter"
   groups: ["user2group"]

 - name: User1 login (all the rest)
   type: allow
   indices: ["logstash-*",".kibana_@{X-Forwarded-User}"]

 - name: "::KIBANA-SRV::"
   type: allow
   auth_key: kibana:kibana

 users:
 - username: alex
   proxy_auth: "alex"
   groups: ["user1group","basicKibanaAccess"]
 - username: test1
   proxy_auth: "test1"
   groups: ["user2group","basicKibanaAccess"]

Howard-Chang avatar Jul 23 '18 03:07 Howard-Chang

this is fixed

coutoPL avatar Sep 03 '22 19:09 coutoPL