I'm having a little trouble implementing dls filters on a shared index environment for logstash.

I'm trying to restrict the results that kibana returns for a shared index environment. For each document I have a username field and If the current user matches the username field they should be able to see the document.

This seems to be working great for the table graphs in kibana. However, the pie/line/bar/histrogram graphs are completely bypassing the dls filters.

I have attached a screenshot of kibana - one with kibana filtering the account to the current user like the dls filter is supposed to. The other with the normal behavior showing the kibana graphs bypassing the dls filter.

Any idea's on how to resolve this?

Thanks,

Rory

user/role mappings:

users

armor.authentication.settingsdb.user.test1: test1 armor.authentication.settingsdb.user.test2: test2 ...

roles

armor.authentication.authorization.settingsdb.roles.admin: ["root"] armor.authentication.authorization.settingsdb.roles.logstash: ["logstash"] armor.authentication.authorization.settingsdb.roles.test1: ["kibana","loguser"] armor.authentication.authorization.settingsdb.roles.test2: ["kibana","loguser"]

dls filters

armor.dlsfilter.names: ["acc_test1","acc_test2","acc_username"] armor.dlsfilter.acc_test1: ["term", "account", "test1", "false"] armor.dlsfilter.acc_test2: ["term", "account", "test2", "false"] armor.dlsfilter.acc_username: ["user_name", "account", "false"]

acl rules:

curl -XPUT 'http://localhost:9200/armor/ac/ac?pretty' -d ' {"acl": [ { "Comment": "Default is to execute no filters - return no results", "filters_bypass": [], "filtersexecute": [] }, { "Comment": "kibana index", "indices": ["kibana-"], "filtersbypass": [""], "filters_execute": [] }, { "Comment": "kibana mt user test", "users" : ["test1"], "indices": ["logstash-*"], "filters_bypass": [], "filters_execute": ["dlsfilter.acc_username"] } ]}'

kibana_acc_filter

kibana_acl

Hi Rory,

I don’t have Kibana3, is it possible to add the raw elasticsearch query? I will try to reproduce this issue, but it will really help me to have the query.

Thanks! Julien

On Nov 12, 2015, at 8:49 PM, etfeet notifications@github.com wrote:

I'm having a little trouble implementing dls filters on a shared index environment for logstash.

I'm trying to restrict the results that kibana returns for a shared index environment. For each document I have a username field and If the current user matches the username field they should be able to see the document.

This seems to be working great for the table graphs in kibana. However, the pie/line/bar/histrogram graphs are completely bypassing the dls filters.

I have attached a screenshot of kibana - one with kibana filtering the account to the current user like the dls filter is supposed to. The other with the normal behavior showing the kibana graphs bypassing the dls filter.

Any idea's on how to resolve this?

Thanks,

Rory

user/role mappings:

users

armor.authentication.settingsdb.user.test1: test1 armor.authentication.settingsdb.user.test2: test2 ...

roles

armor.authentication.authorization.settingsdb.roles.admin: ["root"] armor.authentication.authorization.settingsdb.roles.logstash: ["logstash"] armor.authentication.authorization.settingsdb.roles.test1: ["kibana","loguser"] armor.authentication.authorization.settingsdb.roles.test2: ["kibana","loguser"]

dls filters

armor.dlsfilter.names: ["acc_test1","acc_test2","acc_username"] armor.dlsfilter.acc_test1: ["term", "account", "test1", "false"] armor.dlsfilter.acc_test2: ["term", "account", "test2", "false"] armor.dlsfilter.acc_username: ["user_name", "account", "false"]

acl rules:

curl -XPUT 'http://localhost:9200/armor/ac/ac?pretty' -d ' {"acl": [ { "Comment": "Default is to execute no filters - return no results", "filters_bypass": [], "filters_execute": [] }, { "Comment": "kibana index", "indices": ["kibana-"], "filters_bypass": [""], "filters_execute": [] }, { "Comment": "kibana mt user test", "users" : ["test1"], "indices": ["logstash-*"], "filters_bypass": [], "filters_execute": ["dlsfilter.acc_username"] } ]}' https://cloud.githubusercontent.com/assets/11986383/11136647/46ea61ce-8965-11e5-8d70-5d1d744f7118.jpg https://cloud.githubusercontent.com/assets/11986383/11136654/4f103d7e-8965-11e5-87b2-496330fa51ab.jpg — Reply to this email directly or view it on GitHub https://github.com/petaldevelopment/armor/issues/6.

attached is the firebug har export. Rename the file to .har and go to http://www.softwareishard.com/har/viewer/. and drag the har file into the browser window and it will show you the web transaction including all elastic queries.

note 172.16.31.93 is the elasticsearch server. 172.16.31.71 is the kibana server. 172.16.31.71.har.txt

Hi Julien,

attached is the har export for the session from firebug. You can load the har file at http://www.softwareishard.com/har/viewer/

172.16.31.71 is the kibana server. 172.16.31.93 is the elasticsearch server.

Thanks,

Rory

On Thu, Nov 12, 2015 at 6:00 PM, Julien Maitrehenry < notifications@github.com> wrote:

Hi Rory,

I don’t have Kibana3, is it possible to add the raw elasticsearch query? I will try to reproduce this issue, but it will really help me to have the query.

Thanks! Julien

On Nov 12, 2015, at 8:49 PM, etfeet notifications@github.com wrote:

I'm having a little trouble implementing dls filters on a shared index environment for logstash.

I'm trying to restrict the results that kibana returns for a shared index environment. For each document I have a username field and If the current user matches the username field they should be able to see the document.

This seems to be working great for the table graphs in kibana. However, the pie/line/bar/histrogram graphs are completely bypassing the dls filters.

I have attached a screenshot of kibana - one with kibana filtering the account to the current user like the dls filter is supposed to. The other with the normal behavior showing the kibana graphs bypassing the dls filter.

Any idea's on how to resolve this?

Thanks,

Rory

user/role mappings:

users

armor.authentication.settingsdb.user.test1: test1 armor.authentication.settingsdb.user.test2: test2 ...

roles

armor.authentication.authorization.settingsdb.roles.admin: ["root"] armor.authentication.authorization.settingsdb.roles.logstash: ["logstash"] armor.authentication.authorization.settingsdb.roles.test1: ["kibana","loguser"] armor.authentication.authorization.settingsdb.roles.test2: ["kibana","loguser"]

dls filters

armor.dlsfilter.names: ["acc_test1","acc_test2","acc_username"] armor.dlsfilter.acc_test1: ["term", "account", "test1", "false"] armor.dlsfilter.acc_test2: ["term", "account", "test2", "false"] armor.dlsfilter.acc_username: ["user_name", "account", "false"]

acl rules:

curl -XPUT 'http://localhost:9200/armor/ac/ac?pretty' -d ' {"acl": [ { "Comment": "Default is to execute no filters - return no results", "filters_bypass": [], "filters_execute": [] }, { "Comment": "kibana index", "indices": ["kibana-"], "filters_bypass": [""], "filters_execute": [] }, { "Comment": "kibana mt user test", "users" : ["test1"], "indices": ["logstash-*"], "filters_bypass": [], "filters_execute": ["dlsfilter.acc_username"] } ]}' < https://cloud.githubusercontent.com/assets/11986383/11136647/46ea61ce-8965-11e5-8d70-5d1d744f7118.jpg

< https://cloud.githubusercontent.com/assets/11986383/11136654/4f103d7e-8965-11e5-87b2-496330fa51ab.jpg

— Reply to this email directly or view it on GitHub < https://github.com/petaldevelopment/armor/issues/6>.

— Reply to this email directly or view it on GitHub https://github.com/petaldevelopment/armor/issues/6#issuecomment-156294787 .

same thing happens with kibana 4.1.2 fyi

Kibana 4 is a little easier to debug.

kibana is performing the following query:

POST http://172.16.31.91:5601/elasticsearch/_msearch?timeout=0&ignore_unavailable=true&preference=1447465810167

{"index":"logstash-_","search_type":"count","ignore_unavailable":true} {"size":0,"aggs":{"3":{"terms":{"field":"auth.status.raw","size":5,"order":{"_count":"desc"}}}},"highlight" :{"pre_tags":["@kibana-highlighted-field@"],"posttags":["@/kibana-highlighted-field@"],"fields":{"" :{}},"fragment_size":2147483647},"query":{"filtered":{"query":{"query_string":{"query":"type:authentication" ,"analyze_wildcard":true}},"filter":{"bool":{"must":[{"range":{"@timestamp":{"gte":1447464935883,"lte" :1447465835883}}}],"must_not":[]}}}}}

RESPONSE: {"responses":[{"took":3,"timed_out":false,"_shards":{"total":1,"successful":1,"failed":0},"hits":{"total" :3,"max_score":0.0,"hits":[]},"aggregations":{"3":{"doc_count_error_upper_bound":0,"sum_other_doc_count" :0,"buckets":[{"key":"pass","doc_count":6}]}}}]}

filtered doc response count should be 3. However, its returning count of all documents - not just the ones the user is supposed to be able to see.

the documents look like this:

{ "@version" => "1", "@timestamp" => "2015-11-14T01:43:36.000Z", "type" => "authentication", "file" => "/var/log/secure", "host" => "my_host", "offset" => "15213", "syslog_program" => "sshd", "syslog_pid" => "28562", "syslog_message" => "blahblahblah", "received_at" => "2015-11-14T01:43:31.138Z", "received_from" => "my_host", "syslog_severity_code" => 5, "syslog_facility_code" => 1, "syslog_facility" => "user-level", "syslog_severity" => "notice", "tags" => [], "syslog_fingerprint" => "7fd5963fe37edc535881b6c6346f65b7cf31d732", "auth" => { "status" => "pass", "program" => "sshd", "key" => "my_rsa_pub_key", "key_type" => "RSA", "username" => "root", "src_ip" => "my_source_ip" }, "account" => "user" }

Rory

petalmd / armor

kibana3 access control #6

users

roles

dls filters

users

roles

dls filters

users

roles

dls filters