Elastic-HQ grant access to Elasticsearch other users without authorization if one user was authorized

[svk-28]

General information

• OS Platform and Distribution (e.g., Linux Ubuntu 16.04): CentOS Linux release 7.8.2003 (Core)
• ElasticHQ Version: elastichq/elasticsearch-hq:latest
• Elasticsearch Version: opendistro-for-elasticsearch:1.9.0
• Python version (ignore is using docker image):
• Browser Vendor and Version (if applicable): FireFox, Chrome, Edge

The system is running in docker. User access is via https. for this purpose, elastic-hq is located behind nginx. Elasticsearch used LDAP authentication and authorization

Issue Description

There was a problem with access to the Elasticsearch cluster: if one user was authorized in ES via Elastic-HQ, then other users (from different work station) who selected the desired cluster in the dialog get access to Elasticsearch without authorization.

Source Code / Logs

docker-compose nginx: image: nginx container_name: nginx env_file:

• .env restart: always ports:
• 443:443 environment:
• NGINX_HOST=${NGINX_HOST} volumes:
• ./nginx/templates:/etc/nginx/templates
• ./ssl/cert.pem:/etc/nginx/certs/nginx-selfsigned.pem:ro
• ./ssl/client.key:/etc/nginx/certs/nginx-selfsigned.key:ro networks:
• odfe-net elastic-hq: image: elastichq/elasticsearch-hq container_name: elastic-hq restart: always environment:
• HQ_CA_CERTS=/src/ca.pem
• CLIENT_KEY=/src/client.key
• CLIENT_CERT=/src/client.pem
• HQ_ENABLE_SSL=True
• HQ_VERIFY_CERTS=False
• HQ_DEFAULT_URL=https://odfe-node1:9200 volumes:
  • ./ssl/MyRootCA.pem:/src/ca.pem:ro
  • ./ssl/crert.pem:/src/client.pem:ro
  • ./ssl/client.key:/src/client.key:ro networks:
• odfe-net depends_on:
• nginx

nginx.conf.template server { listen 443 ssl; server_name ${NGINX_HOST}; client_max_body_size 100M; ssl_certificate /etc/nginx/certs/nginx-selfsigned.pem; ssl_certificate_key /etc/nginx/certs/nginx-selfsigned.key;

location / { proxy_pass http://elastic-hq:5000;

proxy_redirect off;

   proxy_set_header   Host             $host;
   proxy_set_header   X-Real-IP        $remote_addr;
   proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;

} }