Closed pdepaepe closed 8 years ago
have you tried removing the includes lime from your fls filter?
If I'm not mistaken the include line will return no results if its empty.
If you only have an exclude line it will return all fields except the one's specified by the exclude parameter.
ie
armor.flsfilter.names: ["stripsensitive"] armor.flsfilter.stripsensitive.source_excludes: ["41281f0f7948"] ...
Rory
Tried, without success. Same behavior, all accounts are broken (even root).
could you post your full elasticsearch config and an example elasticsearch document and what field you're trying to filter on.
To be clear, i don't have problems with Armor, ES, DLS or FLS activated. Results from curl queries are ok.
Problem comes from kibana, it's very similar to bugs previously reports on guard:
https://github.com/floragunncom/search-guard/issues/12 https://groups.google.com/forum/#!topic/search-guard/hQuh6u_xe-0
you might be better off restricting a user/group to an elasticsearch alias and then using armor to restrict that user to the elasticsearch alias.
alias allows you to give them a filtered view of the index.
https://www.elastic.co/guide/en/elasticsearch/reference/current/indices-aliases.html
I know alias, i don't see how it will helps Kibana to works on Armor with DLS/FLS ON.
Alias gives you the same functionality as dls so you dont need armor to do dls. You just have armor do fls to hide the field that lets you map to your users for multi-tenancy.
Lets say you have an index with shared user data. You want to restrict each user to only their data and hide the field that identifies which user the elastic doc belongs to.
You could do something like this
User: fred
Es doc:
Account: fred
Elastic Alias: Name: fred-yyyy.mm.dd Index: myapp-yyyy.mm.dd Terms: account: fred
Armor: Alias: fred-yyyy.mm.dd User: fred Execute: flsfilter.stripaccount On Nov 17, 2015 11:13 AM, "pdepaepe" notifications@github.com wrote:
I know alias, i don't see how it will helps Kibana to works on Armor with DLS/FLS ON.
— Reply to this email directly or view it on GitHub https://github.com/petaldevelopment/armor/issues/7#issuecomment-157474334 .
Hello,
I'm facing same issue. I think it's caused by response format of rewrited mget.
With armor.rewrite_get_as_search: true (Kibana doesn't work):
$ curl -XPOST -i -u user01 localhost:9200/_mget -d '{"docs":[{"_index":".kibana","_type":"config","_id":"4.1.2"}]}'
Enter host password for user 'user01':
HTTP/1.1 200 OK
Content-Type: application/json; charset=UTF-8
Content-Length: 115
{"_index":".kibana","_type":"config","_id":"4.1.2","found":true,"_source":{"buildNum":7562,"defaultIndex":"armor"}}
With armor.rewrite_get_as_search: false (Kibana works well):
$ curl -XPOST -i -u user01 localhost:9200/_mget -d '{"docs":[{"_index":".kibana","_type":"config","_id":"4.1.2"}]}'
Enter host password for user 'user01':
HTTP/1.1 200 OK
Content-Type: application/json; charset=UTF-8
Content-Length: 139
{"docs":[{"_index":".kibana","_type":"config","_id":"4.1.2","_version":2,"found":true,"_source":{"buildNum":7562,"defaultIndex":"armor"}}]}
The latter has "docs" key at beginning. The former is correct format?
Both solutions
armor.rewrite_get_as_search: false ES alias
works great!
Thanks a lot for your help.
Nice, we should add that to the documentation!
Hello,
Kibana: 4.1.1 Elasticsearch: 1.7.3
Thanks for the fork. Configuration given by SergeyBear on this page works.
https://github.com/floragunncom/search-guard/issues/3
Now i'm trying to activate this FLS configuration:
and "filters_bypass": ["flsfilter.stripsensitive"] on kibana part, it breaks, even for root user with a
Same for DLS, with this configuration
This time, filter is not given to anyone and kibana still breaks on this.
When i remove dls/fls rules from yaml, it works again.
Did i missed something ?
Thanks for your help