search

sscarduzio / elasticsearch-readonlyrest-plugin

Free Elasticsearch security plugin and Kibana security plugin: super-easy Kibana multi-tenancy, Encryption, Authentication, Authorization, Auditing
https://readonlyrest.com
GNU General Public License v3.0
952 stars 165 forks source link

Issue while creating visualization with Visual Builder Visualization Type #370

Closed mukeshchouhan closed 6 years ago

mukeshchouhan commented 6 years ago

While creating visualization by selecting 'Visual Builder' Visualization Type, It is forbidden by ROR. It is working for other visualization type.

I am using below ACL

access_control_rules:                                                                            
# We trust Kibana's server side process, full access granted via HTTP authentication             
- name: "::KIBANA-SRV::"                                                                         
  auth_key: kibana:kibana                                                                     
  verbosity: error # don't log successful request                                                

- name: "::RO DEVELOPER::"                                                                       
  auth_key: ro:ro                                                                 
  kibana_access: ro_strict                                                                       
  indices: ["*"]                                                                                 

- name: "::RW::"                                                                                 
  auth_key: rw:rw                                                                  
  kibana_access: rw                                                                              
  indices: ["*"]                                                                                 

- name: "public access monitoring"                                                               
  actions: ["indices:data/read/search"]                                                          
  indices: [".monitoring*"]

image

image

sscarduzio commented 6 years ago

Hello @mukeshchouhan, thanks for reporting. Can you please try to find the "FORBIDDEN" log line in elasticsearch.log that corresponds to the described failure?

mukeshchouhan commented 6 years ago

@sscarduzio Please find below the ROR logs when I hit the 'visual Builder' -

[2018-06-22T20:49:45,915][INFO ][t.b.r.a.ACL ] FORBIDDEN by default req={ ID:1474099659--1662641637#1628, TYP:MultiSearchRequest, CGR:N/A, USR:[no basic auth header], BRS:false, KDX:null, ACT:indices:data/read/msearch, OA:10.117.238.219, DA:10.117.238.219, IDX:.monitoring-es-6-2018.06.22,.monitoring-es-6-2018.06.21,.monitoring-es-6-2018.06.20,.monitoring-kibana-6-2018.06.22,.monitoring-kibana-6-2018.06.20,.monitoring-kibana-6-2018.06.21,.monitoring-kibana-6-2018.06.19,.monitoring-kibana-6-2018.06.16,.monitoring-alerts-6,.monitoring-kibana-6-2018.06.17,.monitoring-kibana-6-2018.06.18,.monitoring-es-6-2018.06.19,.monitoring-es-6-2018.06.18,.monitoring-es-6-2018.06.17,.monitoring-es-6-2018.06.16, MET:POST, PTH:/_msearch, CNT:<OMITTED, LENGTH=716>, HDR:{Connection=keep-alive, Content-Length=716, content-type=application/x-ndjson, Host=10.117.238.219:9200}, HIS:[::KIBANA-SRV::->[auth_key->false]], [::RO DEVELOPER::->[auth_key->false]], [::RW::->[auth_key->false]], [public access monitoring->[indices->true, actions->false]] }

[2018-06-22T20:49:46,234][INFO ][t.b.r.a.ACL ] ALLOWED by { name: '::RW::', policy: ALLOW} req={ ID:1527799049--1662641637#1632, TYP:MultiSearchRequest, CGR:N/A, USR:rw, BRS:false, KDX:null, ACT:indices:data/read/msearch, OA:10.117.238.219, DA:10.117.238.219, IDX:, MET:POST, PTH:/_msearch, CNT:<OMITTED, LENGTH=716>, HDR:{authorization=Basic cnc6cnc=, Connection=keep-alive, Authorization=, content-type=application/x-ndjson, Host=10.117.238.219:9200, Content-Length=716}, HIS:[::KIBANA-SRV::->[auth_key->false]], [::RO DEVELOPER::->[auth_key->false]], [::RW::->[kibana_access->true, indices->true, auth_key->true]] }

[2018-06-22T20:49:46,657][INFO ][t.b.r.a.ACL ] ALLOWED by { name: '::RW::', policy: ALLOW} req={ ID:492482452-1840601929#1634, TYP:MultiGetRequest, CGR:N/A, USR:rw, BRS:false, KDX:null, ACT:indices:data/read/mget, OA:10.117.238.219, DA:10.117.238.219, IDX:.kibana, MET:POST, PTH:/.kibana/_mget, CNT:<OMITTED, LENGTH=85>, HDR:{authorization=Basic cnc6cnc=, Connection=keep-alive, Authorization=, content-type=application/json, Host=10.117.238.219:9200, Content-Length=85}, HIS:[::KIBANA-SRV::->[auth_key->false]], [::RO DEVELOPER::->[auth_key->false]], [::RW::->[kibana_access->true, indices->true, auth_key->true]] }

[2018-06-22T20:49:46,980][INFO ][t.b.r.a.ACL ] FORBIDDEN by default req={ ID:103727665-545572446#1638, TYP:FieldCapabilitiesRequest, CGR:N/A, USR:[no basic auth header], BRS:false, KDX:null, ACT:indices:data/read/field_caps, OA:10.117.238.219, DA:10.117.238.219, IDX:ap-state-qa, MET:POST, PTH:/ap-state-qa/_field_caps?fields=*&ignore_unavailable=true&allow_no_indices=false, CNT:<N/A>, HDR:{Connection=keep-alive, Content-Length=0, Host=10.117.238.219:9200}, HIS:[::KIBANA-SRV::->[auth_key->false]], [::RO DEVELOPER::->[auth_key->false]], [::RW::->[auth_key->false]], [public access monitoring->[indices->false]] }

[2018-06-22T20:49:47,421][INFO ][t.b.r.a.ACL ] ALLOWED by { name: '::RW::', policy: ALLOW} req={ ID:567874249-687226963#1642, TYP:MultiSearchRequest, CGR:N/A, USR:rw, BRS:false, KDX:null, ACT:indices:data/read/msearch, OA:10.117.238.219, DA:10.117.238.219, IDX:ap-state-qa, MET:POST, PTH:/_msearch, CNT:<OMITTED, LENGTH=727>, HDR:{authorization=Basic cnc6cnc=, Connection=keep-alive, Authorization=, content-type=application/x-ndjson, Host=10.117.238.219:9200, Content-Length=727}, HIS:[::KIBANA-SRV::->[auth_key->false]], [::RO DEVELOPER::->[auth_key->false]], [::RW::->[kibana_access->true, indices->true, auth_key->true]] }

[2018-06-22T20:49:47,741][INFO ][t.b.r.a.ACL ] FORBIDDEN by default req={ ID:293320088-545572446#1651, TYP:FieldCapabilitiesRequest, CGR:N/A, USR:[no basic auth header], BRS:false, KDX:null, ACT:indices:data/read/field_caps, OA:10.117.238.219, DA:10.117.238.219, IDX:ap-state-qa, MET:POST, PTH:/ap-state-qa/_field_caps?fields=*&ignore_unavailable=true&allow_no_indices=false, CNT:<N/A>, HDR:{Connection=keep-alive, Content-Length=0, Host=10.117.238.219:9200}, HIS:[::KIBANA-SRV::->[auth_key->false]], [::RO DEVELOPER::->[auth_key->false]], [::RW::->[auth_key->false]], [public access monitoring->[indices->false]] }

[2018-06-22T20:49:58,052][INFO ][t.b.r.a.ACL ] FORBIDDEN by default req={ ID:1244987016-1035760177#1710, TYP:MainRequest, CGR:N/A, USR:[no basic auth header], BRS:true, KDX:null, ACT:cluster:monitor/main, OA:10.117.239.134, DA:10.117.238.219, IDX:<N/A>, MET:GET, PTH:/, CNT:<N/A>, HDR:{Accept=application/json, Accept-Encoding=gzip, content-length=0, Host=10.117.238.219:9200, User-Agent=Go-http-client/1.1}, HIS:[::KIBANA-SRV::->[auth_key->false]], [::RO DEVELOPER::->[auth_key->false]], [::RW::->[auth_key->false]], [public access monitoring->[indices->true, actions->false]] }

sscarduzio commented 6 years ago

Hi @mukeshchouhan, I believe you are not running ROR PRO/Enterprise. Right? Because I can see these Kibana originated requests are refused due to the absence of basic auth credentials: (USR:[no basic auth header]).

In this case, it seems to be very much related to https://github.com/elastic/kibana/issues/9583

mukeshchouhan commented 6 years ago

@sscarduzio I got it fixed by using below ACL-

- name: "Public Access Custom"
  actions: ["indices:data/read/field_stats", "indices:admin/mappings/fields/get", "indices:admin/get", "indices:data/read/msearch", "indices:data/read/field_caps"]
  indices: ["*"]
sscarduzio commented 6 years ago

Yeah, that is a workaround, not ideal though.