1.16.8 problems with Admin access and audit

nan008 · July 18, 2017, 2:04pm

ELK: 5.4.1
ROR: 1.16.8
ROR_KBN 0.1.5

We started testing the ROR 1.16.8
First I wanted to give admin access to one of the groups

    - name: "Sys"
      type: allow
      kibana_access: admin
      groups: ["Sys"]
      indices: [".kibana", ".kibana-devnull", "*"]

but got this error in kibana log

{"type":"response","@timestamp":"2017-07-18T13:00:23Z","tags":[],"pid":25171,"method":"get","statusCode":403,"req":{"url":"/api/readonlyrest_kbn/settings","method":"get","headers":{"host":"54.194.124.114:5601","user-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:54.0) Gecko/20100101 Firefox/54.0","accept":"application/json, text/plain, */*","accept-language":"en-US,en;q=0.5","accept-encoding":"gzip, deflate","kbn-version":"5.4.1","referer":"http://54.194.124.114:5601/app/readonlyrest_kbn","connection":"keep-alive"},"remoteAddress":"185.7.185.182","userAgent":"185.7.185.182","referer":"http://54.194.124.114:5601/app/readonlyrest_kbn"},"res":{"statusCode":403,"responseTime":21,"contentLength":9},"message":"GET /api/readonlyrest_kbn/settings 403 21ms - 9.0B"}

So then I created the Admin block and got one step further

    - name: "Admin"
      type: allow
      auth_key: admin:admin123
      kibana_access: admin

Now I am getting 200 OK in kibana log but getting this error in Kibana

what index I am missing? i have .kibana

also I am trying to set up the audit and I did added the line in elasticsearch.yml

    audit_collector: true

but “readonlyrest_audit-YYYY-MM-DD” is not created

I did not play with ROR for a while and something is obviously escaping me, so little help?

sscarduzio · July 18, 2017, 8:59pm

Hi Anna, this looks extremely weird indeed, can you share the complete ES settings? I need to reproduce this locally.

nan008 · July 19, 2017, 10:06am

Hi,

Audit logs, I solved - we were disallowing auto creation in yml

Now the Admin problem

elasticsearch.yml

readonlyrest:
    enable: true
    audit_collector: true
    response_if_req_forbidden: Forbidden by ReadonlyREST ES plugin

    prompt_for_basic_auth: false

    access_control_rules:
    - name: "Accept all requests for indices"
      type: allow
      hosts: ["10.0.201.238", "10.0.200.32"]

    - name: "Logstash"
      type: allow
      hosts: ["10.0.200.238"]

    - name: "Kibana Server"
      type: allow
      auth_key: kibana:kibana
      verbosity: error

    - name: "Admin"
      type: allow
      auth_key: admin:admin123
      kibana_access: admin
      verbosity: error

    - name: "Dev"
      type: allow
      kibana_access: ro
      kibana_hide_apps: ["timelion","readonlyrest_kbn","monitoring", "kibana:management"]
      groups: ["Dev"]
      indices: [".kibana", ".kibana-devnull","default", "anna02*"]

    - name: "Sys"
      type: allow
      kibana_access: rw
      groups: ["Sys"]
      indices: [".kibana", ".kibana-devnull", "*"]

    users:
    - username: dan
      auth_key: dan:dan123
      groups: ["Dev"]
    - username: anna
      auth_key: anna:anna123
      groups: ["Sys"]

When I go to the ROR tab as Admin I get this

but trying to change any settings (in my case I tried to change anna02* to anna03*)

Click Commit and error is back

sscarduzio · July 20, 2017, 11:50am

Fetching security settings does not involve the presence of the .readonlyrest index. In fact, if the .readonlyrest index is not present, we read the parsed settings from ES core (as JSON), convert the to yaml and populate the editor.

When you press commit in the GUI, then we really attempt to create the .readonlyrest index. The fact that it’s not managing to create it, makes me wonder if you have disabled index auto creation for this index?

_S

PS: tried to reproduce this, worked ok. Albeit I tried with 1.16.9-pre4.

nan008 · July 20, 2017, 1:28pm

Yeah it is working now on 1.16.8 when I allowed .readonlyrest index to be created, any other indies I should add?

sscarduzio · July 20, 2017, 1:37pm

You should definitely add this “indie” to your (play)list:

Other than that, ReadonlyREST may only attempt to write .readonlyrest (for dynamic settings storage) and readonlyrest_audit-* for structured audit logs. So you’re covered.

nan008 · July 20, 2017, 1:43pm

Mocking my English with the Mac OX auto correct on. Poor non native speakers like me

Trying to implement stuff here and not proof reading

sscarduzio · July 20, 2017, 1:47pm

Strictly speaking, I’m not native speaker either. But I’m pretty sure “indie” can peacefully be both a music genre as well as a nice abbreviation for the word index

nan008 · July 20, 2017, 1:53pm

You see, I am a cool non native speaker and starting to develop my own ELK words already.