elasticsearch-readonlyrest-plugin
elasticsearch-readonlyrest-plugin copied to clipboard
Kibana Short URL denied with kibana_access: ro
ES/Kibana Version: 7.4.2 Read only rest: readonlyrest-1.18.9_es7.4.2.zip
The kibana short URL is being denied with this message:
FORBIDDEN by default req={ ID:393302858-2145333100#617943, TYP:IndexRequest, CGR:N/A, USR:[user not logged], BRS:false, KDX:null, ACT:indices:data/write/index, OA:127.0.0.1/32, XFF:null, DA:127.0.0.1/32, IDX:.kibana, MET:POST, PTH:/.kibana/_create/url:276ec67b769e5876e925c3a63e18a195, CNT:<OMITTED, LENGTH=1575.0 B> , HDR:Connection=keep-alive, Content-Length=1575, Host=localhost:9201, content-type=application/json, HIS:[GRACC Kibana admin-> RULES:[auth_key->false], RESOLVED:[]], [GRACC Kibana read-only-> RULES:[kibana_access->false], RESOLVED:[]]] }
The relevant rule that should allow it (with kibana_access:ro):
- name: GRACC Kibana read-only
type: allow
kibana_access: ro
kibana_index: .kibana
indices: ["<no-index>", "gracc*"]
Is kibana_access: ro suppose to allow short URL?
Your acl block has a contradiction: how is the user supposed to use .kibana index for their kibana session, if the indices rule doesn't allow access?
I attempted to add the .kibana
index to the list of indices:
- name: GRACC Kibana read-only
type: allow
kibana_access: ro
kibana_index: .kibana
indices: ["<no-index>", ".kibana", "gracc*"]
It is denying:
[2020-06-24T10:18:31,179][INFO ][t.b.r.a.l.AccessControlLoggingDecorator] [gracc-ro] FORBIDDEN by default req={ ID:1300413162-1736705441#6248, TYP:IndexRequest, CGR:N/A, USR:[user not logged], BRS:false, KDX:null, ACT:indices:data/write/index, OA:127.0.0.1/32, XFF:null, DA:127.0.0.1/32, IDX:.kibana, MET:POST, PTH:/.kibana/_create/url:dc59d3905d4ba97390976d8bbc0a3819, CNT:<OMITTED, LENGTH=1112.0 B> , HDR:Connection=keep-alive, Content-Length=1112, Host=localhost:9201, content-type=application/json, HIS:[GRACC Kibana admin-> RULES:[auth_key->false], RESOLVED:[]], [GRACC Kibana read-only-> RULES:[kibana_access->false], RESOLVED:[]]] }
Is it relevant that kibana_access
is "false"? for the "GRACC Kibana read-only" ruleset.