elasticsearch-readonlyrest-plugin icon indicating copy to clipboard operation
elasticsearch-readonlyrest-plugin copied to clipboard

Published 20 hours ago verified publisher icon sscarduzio

Kibana Short URL denied with kibana_access: ro

Open djw8605 opened this issue 4 years ago • 2 comments

ES/Kibana Version: 7.4.2 Read only rest: readonlyrest-1.18.9_es7.4.2.zip

The kibana short URL is being denied with this message:

FORBIDDEN by default req={  ID:393302858-2145333100#617943,  TYP:IndexRequest,  CGR:N/A,  USR:[user not logged],  BRS:false,  KDX:null,  ACT:indices:data/write/index,  OA:127.0.0.1/32,  XFF:null,  DA:127.0.0.1/32,  IDX:.kibana,  MET:POST,  PTH:/.kibana/_create/url:276ec67b769e5876e925c3a63e18a195,  CNT:<OMITTED, LENGTH=1575.0 B> ,  HDR:Connection=keep-alive, Content-Length=1575, Host=localhost:9201, content-type=application/json,  HIS:[GRACC Kibana admin-> RULES:[auth_key->false], RESOLVED:[]], [GRACC Kibana read-only-> RULES:[kibana_access->false], RESOLVED:[]]]  }

The relevant rule that should allow it (with kibana_access:ro):

- name: GRACC Kibana read-only
      type: allow
      kibana_access: ro
      kibana_index: .kibana
      indices: ["<no-index>", "gracc*"]

Is kibana_access: ro suppose to allow short URL?

djw8605 avatar Jun 24 '20 14:06 djw8605

Your acl block has a contradiction: how is the user supposed to use .kibana index for their kibana session, if the indices rule doesn't allow access?

sscarduzio avatar Jun 24 '20 14:06 sscarduzio

I attempted to add the .kibana index to the list of indices:

    - name: GRACC Kibana read-only
      type: allow
      kibana_access: ro
      kibana_index: .kibana
      indices: ["<no-index>", ".kibana", "gracc*"]

It is denying:

[2020-06-24T10:18:31,179][INFO ][t.b.r.a.l.AccessControlLoggingDecorator] [gracc-ro] FORBIDDEN by default req={  ID:1300413162-1736705441#6248,  TYP:IndexRequest,  CGR:N/A,  USR:[user not logged],  BRS:false,  KDX:null,  ACT:indices:data/write/index,  OA:127.0.0.1/32,  XFF:null,  DA:127.0.0.1/32,  IDX:.kibana,  MET:POST,  PTH:/.kibana/_create/url:dc59d3905d4ba97390976d8bbc0a3819,  CNT:<OMITTED, LENGTH=1112.0 B> ,  HDR:Connection=keep-alive, Content-Length=1112, Host=localhost:9201, content-type=application/json,  HIS:[GRACC Kibana admin-> RULES:[auth_key->false], RESOLVED:[]], [GRACC Kibana read-only-> RULES:[kibana_access->false], RESOLVED:[]]]  }

Is it relevant that kibana_access is "false"? for the "GRACC Kibana read-only" ruleset.

djw8605 avatar Jun 24 '20 15:06 djw8605