search

petalmd / armor

Apache License 2.0
15 stars 8 forks source link

DLS/FLS broken? (kibana 4) #7

Closed pdepaepe closed 8 years ago

pdepaepe commented 8 years ago

Hello,

Kibana: 4.1.1 Elasticsearch: 1.7.3

Thanks for the fork. Configuration given by SergeyBear on this page works.

https://github.com/floragunncom/search-guard/issues/3

Now i'm trying to activate this FLS configuration:

armor.rewrite_get_as_search: true
armor.flsfilter.names: ["stripsensitive"]
armor.flsfilter.stripsensitive.source_includes: []
armor.flsfilter.stripsensitive.source_excludes: ["41281f0f7948"]

and "filters_bypass": ["flsfilter.stripsensitive"] on kibana part, it breaks, even for root user with a 

TypeError: Cannot read property 'timed_out' of undefined
    at http://localhost:5601/index.js?_b=7489:43071:17
    at Function.Promise.try (http://localhost:5601/index.js?_b=7489:46434:26)
    at http://localhost:5601/index.js?_b=7489:46412:27
    at Array.map (native)
    at Function.Promise.map (http://localhost:5601/index.js?_b=7489:46411:30)
    at callResponseHandlers (http://localhost:5601/index.js?_b=7489:43064:22)
    at http://localhost:5601/index.js?_b=7489:43182:16
    at wrappedCallback (http://localhost:5601/index.js?_b=7489:20893:81)
    at wrappedCallback (http://localhost:5601/index.js?_b=7489:20893:81)
    at http://localhost:5601/index.js?_b=7489:20979:26

Same for DLS, with this configuration

armor.rewrite_get_as_search: true
armor.dlsfilter.names: ["a"]
armor.dlsfilter.a: ["exists","source", "false"]

This time, filter is not given to anyone and kibana still breaks on this.

When i remove dls/fls rules from yaml, it works again.

Did i missed something ?

Thanks for your help

etfeet commented 8 years ago

have you tried removing the includes lime from your fls filter?

If I'm not mistaken the include line will return no results if its empty.

If you only have an exclude line it will return all fields except the one's specified by the exclude parameter.

ie

armor.flsfilter.names: ["stripsensitive"] armor.flsfilter.stripsensitive.source_excludes: ["41281f0f7948"] ...

Rory

pdepaepe commented 8 years ago

Tried, without success. Same behavior, all accounts are broken (even root).

etfeet commented 8 years ago

could you post your full elasticsearch config and an example elasticsearch document and what field you're trying to filter on.

pdepaepe commented 8 years ago

To be clear, i don't have problems with Armor, ES, DLS or FLS activated. Results from curl queries are ok.

Problem comes from kibana, it's very similar to bugs previously reports on guard:

https://github.com/floragunncom/search-guard/issues/12 https://groups.google.com/forum/#!topic/search-guard/hQuh6u_xe-0

etfeet commented 8 years ago

you might be better off restricting a user/group to an elasticsearch alias and then using armor to restrict that user to the elasticsearch alias.

alias allows you to give them a filtered view of the index.

https://www.elastic.co/guide/en/elasticsearch/reference/current/indices-aliases.html

pdepaepe commented 8 years ago

I know alias, i don't see how it will helps Kibana to works on Armor with DLS/FLS ON.

etfeet commented 8 years ago

Alias gives you the same functionality as dls so you dont need armor to do dls. You just have armor do fls to hide the field that lets you map to your users for multi-tenancy.

Lets say you have an index with shared user data. You want to restrict each user to only their data and hide the field that identifies which user the elastic doc belongs to.

You could do something like this

User: fred

Es doc:

Account: fred

Elastic Alias: Name: fred-yyyy.mm.dd Index: myapp-yyyy.mm.dd Terms: account: fred

Armor: Alias: fred-yyyy.mm.dd User: fred Execute: flsfilter.stripaccount On Nov 17, 2015 11:13 AM, "pdepaepe" notifications@github.com wrote:

I know alias, i don't see how it will helps Kibana to works on Armor with DLS/FLS ON.

— Reply to this email directly or view it on GitHub https://github.com/petaldevelopment/armor/issues/7#issuecomment-157474334 .

askoi commented 8 years ago

Hello,

I'm facing same issue. I think it's caused by response format of rewrited mget.

With armor.rewrite_get_as_search: true (Kibana doesn't work):

$ curl -XPOST -i -u user01 localhost:9200/_mget -d '{"docs":[{"_index":".kibana","_type":"config","_id":"4.1.2"}]}'
Enter host password for user 'user01':
HTTP/1.1 200 OK
Content-Type: application/json; charset=UTF-8
Content-Length: 115

{"_index":".kibana","_type":"config","_id":"4.1.2","found":true,"_source":{"buildNum":7562,"defaultIndex":"armor"}}

With armor.rewrite_get_as_search: false (Kibana works well):

$ curl -XPOST -i -u user01 localhost:9200/_mget -d '{"docs":[{"_index":".kibana","_type":"config","_id":"4.1.2"}]}'
Enter host password for user 'user01':
HTTP/1.1 200 OK
Content-Type: application/json; charset=UTF-8
Content-Length: 139

{"docs":[{"_index":".kibana","_type":"config","_id":"4.1.2","_version":2,"found":true,"_source":{"buildNum":7562,"defaultIndex":"armor"}}]}

The latter has "docs" key at beginning. The former is correct format?

pdepaepe commented 8 years ago

Both solutions

armor.rewrite_get_as_search: false ES alias

works great!

Thanks a lot for your help.

jmaitrehenry commented 8 years ago

Nice, we should add that to the documentation!