Closed etfeet closed 8 years ago
Hi Rory,
I don’t have Kibana3, is it possible to add the raw elasticsearch query? I will try to reproduce this issue, but it will really help me to have the query.
Thanks! Julien
On Nov 12, 2015, at 8:49 PM, etfeet notifications@github.com wrote:
I'm having a little trouble implementing dls filters on a shared index environment for logstash.
I'm trying to restrict the results that kibana returns for a shared index environment. For each document I have a username field and If the current user matches the username field they should be able to see the document.
This seems to be working great for the table graphs in kibana. However, the pie/line/bar/histrogram graphs are completely bypassing the dls filters.
I have attached a screenshot of kibana - one with kibana filtering the account to the current user like the dls filter is supposed to. The other with the normal behavior showing the kibana graphs bypassing the dls filter.
Any idea's on how to resolve this?
Thanks,
Rory
user/role mappings:
users
armor.authentication.settingsdb.user.test1: test1 armor.authentication.settingsdb.user.test2: test2 ...
roles
armor.authentication.authorization.settingsdb.roles.admin: ["root"] armor.authentication.authorization.settingsdb.roles.logstash: ["logstash"] armor.authentication.authorization.settingsdb.roles.test1: ["kibana","loguser"] armor.authentication.authorization.settingsdb.roles.test2: ["kibana","loguser"]
dls filters
armor.dlsfilter.names: ["acc_test1","acc_test2","acc_username"] armor.dlsfilter.acc_test1: ["term", "account", "test1", "false"] armor.dlsfilter.acc_test2: ["term", "account", "test2", "false"] armor.dlsfilter.acc_username: ["user_name", "account", "false"]
acl rules:
curl -XPUT 'http://localhost:9200/armor/ac/ac?pretty' -d ' {"acl": [ { "Comment": "Default is to execute no filters - return no results", "filters_bypass": [], "filters_execute": [] }, { "Comment": "kibana index", "indices": ["kibana-"], "filters_bypass": [""], "filters_execute": [] }, { "Comment": "kibana mt user test", "users" : ["test1"], "indices": ["logstash-*"], "filters_bypass": [], "filters_execute": ["dlsfilter.acc_username"] } ]}' https://cloud.githubusercontent.com/assets/11986383/11136647/46ea61ce-8965-11e5-8d70-5d1d744f7118.jpg https://cloud.githubusercontent.com/assets/11986383/11136654/4f103d7e-8965-11e5-87b2-496330fa51ab.jpg — Reply to this email directly or view it on GitHub https://github.com/petaldevelopment/armor/issues/6.
attached is the firebug har export. Rename the file to .har and go to http://www.softwareishard.com/har/viewer/. and drag the har file into the browser window and it will show you the web transaction including all elastic queries.
note 172.16.31.93 is the elasticsearch server. 172.16.31.71 is the kibana server. 172.16.31.71.har.txt
Hi Julien,
attached is the har export for the session from firebug. You can load the har file at http://www.softwareishard.com/har/viewer/
172.16.31.71 is the kibana server. 172.16.31.93 is the elasticsearch server.
Thanks,
Rory
On Thu, Nov 12, 2015 at 6:00 PM, Julien Maitrehenry < notifications@github.com> wrote:
Hi Rory,
I don’t have Kibana3, is it possible to add the raw elasticsearch query? I will try to reproduce this issue, but it will really help me to have the query.
Thanks! Julien
On Nov 12, 2015, at 8:49 PM, etfeet notifications@github.com wrote:
I'm having a little trouble implementing dls filters on a shared index environment for logstash.
I'm trying to restrict the results that kibana returns for a shared index environment. For each document I have a username field and If the current user matches the username field they should be able to see the document.
This seems to be working great for the table graphs in kibana. However, the pie/line/bar/histrogram graphs are completely bypassing the dls filters.
I have attached a screenshot of kibana - one with kibana filtering the account to the current user like the dls filter is supposed to. The other with the normal behavior showing the kibana graphs bypassing the dls filter.
Any idea's on how to resolve this?
Thanks,
Rory
user/role mappings:
users
armor.authentication.settingsdb.user.test1: test1 armor.authentication.settingsdb.user.test2: test2 ...
roles
armor.authentication.authorization.settingsdb.roles.admin: ["root"] armor.authentication.authorization.settingsdb.roles.logstash: ["logstash"] armor.authentication.authorization.settingsdb.roles.test1: ["kibana","loguser"] armor.authentication.authorization.settingsdb.roles.test2: ["kibana","loguser"]
dls filters
armor.dlsfilter.names: ["acc_test1","acc_test2","acc_username"] armor.dlsfilter.acc_test1: ["term", "account", "test1", "false"] armor.dlsfilter.acc_test2: ["term", "account", "test2", "false"] armor.dlsfilter.acc_username: ["user_name", "account", "false"]
acl rules:
curl -XPUT 'http://localhost:9200/armor/ac/ac?pretty' -d ' {"acl": [ { "Comment": "Default is to execute no filters - return no results", "filters_bypass": [], "filters_execute": [] }, { "Comment": "kibana index", "indices": ["kibana-"], "filters_bypass": [""], "filters_execute": [] }, { "Comment": "kibana mt user test", "users" : ["test1"], "indices": ["logstash-*"], "filters_bypass": [], "filters_execute": ["dlsfilter.acc_username"] } ]}' < https://cloud.githubusercontent.com/assets/11986383/11136647/46ea61ce-8965-11e5-8d70-5d1d744f7118.jpg
— Reply to this email directly or view it on GitHub < https://github.com/petaldevelopment/armor/issues/6>.
— Reply to this email directly or view it on GitHub https://github.com/petaldevelopment/armor/issues/6#issuecomment-156294787 .
same thing happens with kibana 4.1.2 fyi
Kibana 4 is a little easier to debug.
kibana is performing the following query:
{"index":"logstash-_","search_type":"count","ignore_unavailable":true} {"size":0,"aggs":{"3":{"terms":{"field":"auth.status.raw","size":5,"order":{"_count":"desc"}}}},"highlight" :{"pre_tags":["@kibana-highlighted-field@"],"posttags":["@/kibana-highlighted-field@"],"fields":{"" :{}},"fragment_size":2147483647},"query":{"filtered":{"query":{"query_string":{"query":"type:authentication" ,"analyze_wildcard":true}},"filter":{"bool":{"must":[{"range":{"@timestamp":{"gte":1447464935883,"lte" :1447465835883}}}],"must_not":[]}}}}}
RESPONSE: {"responses":[{"took":3,"timed_out":false,"_shards":{"total":1,"successful":1,"failed":0},"hits":{"total" :3,"max_score":0.0,"hits":[]},"aggregations":{"3":{"doc_count_error_upper_bound":0,"sum_other_doc_count" :0,"buckets":[{"key":"pass","doc_count":6}]}}}]}
filtered doc response count should be 3. However, its returning count of all documents - not just the ones the user is supposed to be able to see.
the documents look like this:
{ "@version" => "1", "@timestamp" => "2015-11-14T01:43:36.000Z", "type" => "authentication", "file" => "/var/log/secure", "host" => "my_host", "offset" => "15213", "syslog_program" => "sshd", "syslog_pid" => "28562", "syslog_message" => "blahblahblah", "received_at" => "2015-11-14T01:43:31.138Z", "received_from" => "my_host", "syslog_severity_code" => 5, "syslog_facility_code" => 1, "syslog_facility" => "user-level", "syslog_severity" => "notice", "tags" => [], "syslog_fingerprint" => "7fd5963fe37edc535881b6c6346f65b7cf31d732", "auth" => { "status" => "pass", "program" => "sshd", "key" => "my_rsa_pub_key", "key_type" => "RSA", "username" => "root", "src_ip" => "my_source_ip" }, "account" => "user" }
Rory
I'm having a little trouble implementing dls filters on a shared index environment for logstash.
I'm trying to restrict the results that kibana returns for a shared index environment. For each document I have a username field and If the current user matches the username field they should be able to see the document.
This seems to be working great for the table graphs in kibana. However, the pie/line/bar/histrogram graphs are completely bypassing the dls filters.
I have attached a screenshot of kibana - one with kibana filtering the account to the current user like the dls filter is supposed to. The other with the normal behavior showing the kibana graphs bypassing the dls filter.
Any idea's on how to resolve this?
Thanks,
Rory
user/role mappings:
users
armor.authentication.settingsdb.user.test1: test1 armor.authentication.settingsdb.user.test2: test2 ...
roles
armor.authentication.authorization.settingsdb.roles.admin: ["root"] armor.authentication.authorization.settingsdb.roles.logstash: ["logstash"] armor.authentication.authorization.settingsdb.roles.test1: ["kibana","loguser"] armor.authentication.authorization.settingsdb.roles.test2: ["kibana","loguser"]
dls filters
armor.dlsfilter.names: ["acc_test1","acc_test2","acc_username"] armor.dlsfilter.acc_test1: ["term", "account", "test1", "false"] armor.dlsfilter.acc_test2: ["term", "account", "test2", "false"] armor.dlsfilter.acc_username: ["user_name", "account", "false"]
acl rules:
curl -XPUT 'http://localhost:9200/armor/ac/ac?pretty' -d ' {"acl": [ { "Comment": "Default is to execute no filters - return no results", "filters_bypass": [], "filtersexecute": [] }, { "Comment": "kibana index", "indices": ["kibana-"], "filtersbypass": [""], "filters_execute": [] }, { "Comment": "kibana mt user test", "users" : ["test1"], "indices": ["logstash-*"], "filters_bypass": [], "filters_execute": ["dlsfilter.acc_username"] } ]}'