I have come up against a 401 in kibana when trying to access _rollup/jobs/
api even as an unrestricted
kibana user. I have hit this a few times but can’t remember all the endpoints.
The elasticsearch logs show the request as being allowed:
[2020-08-06T16:14:51,584][INFO ][t.b.r.a.l.AccessControlLoggingDecorator] [<es_host>] ALLOWED by { name: ‘::MASTER - ADMIN’, policy: ALLOW, rules: [ldap_authentication,ldap_authorization,kibana_access,users] req={ ID:1285129451–420318928#6634594, TYP:Request, CGR:N/A, USR:adminuser, BRS:false, KDX:null, ACT:cluster:admin/xpack/rollup/put, OA:130.246.129.86/32, XFF:x-forwarded-for=127.0.0.1, DA:130.246.130.44/32, IDX:rollup_source*, MET:PUT, PTH:/_rollup/job/1, CNT:<OMITTED, LENGTH=1148.0 B> , HDR:Authorization=, Connection=close, content-length=1148, content-type=application/json, host=<es_host>, x-forwarded-for=127.0.0.1, x-forwarded-host=<kibana_host>, x-forwarded-port=48822, x-forwarded-proto=http, x-ror-kibana-request-method=post, x-ror-kibana-request-path=/api/console/proxy, HIS:[::MASTER - ADMIN-> RULES:[ldap_authentication->true, ldap_authorization->true, kibana_access->true, users->true], RESOLVED:[user=adminuser;group=admins;av_groups=admins;indices=rollup_source*]] }
but the kibana logs show a 401:
{“type”:“response”,“@timestamp”:“2020-08-06T15:14:51Z”,“tags”:[“access:console”],“pid”:31034,“method”:“post”,“statusCode”:401,“req”:{“url”:“/api/console/proxy?path=_rollup%2Fjob%2F1&method=PUT”,“method”:“post”,“headers”:{“host”:“<kibana_host>”,“x-real-ip”:“<source_ip>”,“x-forwarded-for”:“<source_ip>”,“x-forwarded-proto”:“https”,“connection”:“close”,“content-length”:“1148”,“user-agent”:“Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Firefox/78.0”,“accept”:“text/plain, /; q=0.01”,“accept-language”:“en-GB,en;q=0.5”,“accept-encoding”:“gzip, deflate, br”,“kbn-version”:“7.8.0”,“content-type”:“application/json”,“origin”:“”,“referer”:“/app/kibana”},“remoteAddress”:“127.0.0.1”,“userAgent”:“127.0.0.1”,“referer”:“/app/kibana”},“res”:{“statusCode”:401,“responseTime”:125,“contentLength”:9},“message”:“POST /api/console/proxy?path=_rollup%2Fjob%2F1&method=PUT 401 125ms - 9.0B”}
Sample Config:
access_control_rules: - name: "::MASTER - ADMIN" type: allow ldap_authentication: "ldap" ldap_authorization: name: "ldap" groups: ["admins"] users: ["adminuser"] kibana_access: unrestricted