Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Kibana Short URL denied with kibana_access: ro #608

Open
djw8605 opened this issue Jun 24, 2020 · 2 comments
Open

Kibana Short URL denied with kibana_access: ro #608

djw8605 opened this issue Jun 24, 2020 · 2 comments

Comments

@djw8605
Copy link

djw8605 commented Jun 24, 2020

ES/Kibana Version: 7.4.2
Read only rest: readonlyrest-1.18.9_es7.4.2.zip

The kibana short URL is being denied with this message:

FORBIDDEN by default req={  ID:393302858-2145333100#617943,  TYP:IndexRequest,  CGR:N/A,  USR:[user not logged],  BRS:false,  KDX:null,  ACT:indices:data/write/index,  OA:127.0.0.1/32,  XFF:null,  DA:127.0.0.1/32,  IDX:.kibana,  MET:POST,  PTH:/.kibana/_create/url:276ec67b769e5876e925c3a63e18a195,  CNT:<OMITTED, LENGTH=1575.0 B> ,  HDR:Connection=keep-alive, Content-Length=1575, Host=localhost:9201, content-type=application/json,  HIS:[GRACC Kibana admin-> RULES:[auth_key->false], RESOLVED:[]], [GRACC Kibana read-only-> RULES:[kibana_access->false], RESOLVED:[]]]  }

The relevant rule that should allow it (with kibana_access:ro):

- name: GRACC Kibana read-only
      type: allow
      kibana_access: ro
      kibana_index: .kibana
      indices: ["<no-index>", "gracc*"]

Is kibana_access: ro suppose to allow short URL?
@sscarduzio
Copy link
Owner

Your acl block has a contradiction: how is the user supposed to use .kibana index for their kibana session, if the indices rule doesn't allow access?

@djw8605
Copy link
Author

djw8605 commented Jun 24, 2020

I attempted to add the .kibana index to the list of indices:

    - name: GRACC Kibana read-only
      type: allow
      kibana_access: ro
      kibana_index: .kibana
      indices: ["<no-index>", ".kibana", "gracc*"]

It is denying:

[2020-06-24T10:18:31,179][INFO ][t.b.r.a.l.AccessControlLoggingDecorator] [gracc-ro] FORBIDDEN by default req={  ID:1300413162-1736705441#6248,  TYP:IndexRequest,  CGR:N/A,  USR:[user not logged],  BRS:false,  KDX:null,  ACT:indices:data/write/index,  OA:127.0.0.1/32,  XFF:null,  DA:127.0.0.1/32,  IDX:.kibana,  MET:POST,  PTH:/.kibana/_create/url:dc59d3905d4ba97390976d8bbc0a3819,  CNT:<OMITTED, LENGTH=1112.0 B> ,  HDR:Connection=keep-alive, Content-Length=1112, Host=localhost:9201, content-type=application/json,  HIS:[GRACC Kibana admin-> RULES:[auth_key->false], RESOLVED:[]], [GRACC Kibana read-only-> RULES:[kibana_access->false], RESOLVED:[]]]  }

Is it relevant that kibana_access is "false"? for the "GRACC Kibana read-only" ruleset.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@djw8605 @sscarduzio