Actions still forbidden to unrestricted user

I have come up against a 401 in kibana when trying to access _rollup/jobs/ api even as an unrestricted kibana user. I have hit this a few times but can’t remember all the endpoints.

The elasticsearch logs show the request as being allowed:

[2020-08-06T16:14:51,584][INFO ][t.b.r.a.l.AccessControlLoggingDecorator] [<es_host>] ALLOWED by { name: ‘::MASTER - ADMIN’, policy: ALLOW, rules: [ldap_authentication,ldap_authorization,kibana_access,users] req={ ID:1285129451–420318928#6634594, TYP:Request, CGR:N/A, USR:adminuser, BRS:false, KDX:null, ACT:cluster:admin/xpack/rollup/put, OA:130.246.129.86/32, XFF:x-forwarded-for=127.0.0.1, DA:130.246.130.44/32, IDX:rollup_source*, MET:PUT, PTH:/_rollup/job/1, CNT:<OMITTED, LENGTH=1148.0 B> , HDR:Authorization=, Connection=close, content-length=1148, content-type=application/json, host=<es_host>, x-forwarded-for=127.0.0.1, x-forwarded-host=<kibana_host>, x-forwarded-port=48822, x-forwarded-proto=http, x-ror-kibana-request-method=post, x-ror-kibana-request-path=/api/console/proxy, HIS:[::MASTER - ADMIN-> RULES:[ldap_authentication->true, ldap_authorization->true, kibana_access->true, users->true], RESOLVED:[user=adminuser;group=admins;av_groups=admins;indices=rollup_source*]] }

but the kibana logs show a 401:

{“type”:“response”,"@timestamp":“2020-08-06T15:14:51Z”,“tags”:[“access:console”],“pid”:31034,“method”:“post”,“statusCode”:401,“req”:{“url”:"/api/console/proxy?path=_rollup%2Fjob%2F1&method=PUT",“method”:“post”,“headers”:{“host”:"<kibana_host>",“x-real-ip”:"<source_ip>",“x-forwarded-for”:"<source_ip>",“x-forwarded-proto”:“https”,“connection”:“close”,“content-length”:“1148”,“user-agent”:“Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Firefox/78.0”,“accept”:“text/plain, /; q=0.01”,“accept-language”:“en-GB,en;q=0.5”,“accept-encoding”:“gzip, deflate, br”,“kbn-version”:“7.8.0”,“content-type”:“application/json”,“origin”:"",“referer”:"/app/kibana"},“remoteAddress”:“127.0.0.1”,“userAgent”:“127.0.0.1”,“referer”:"/app/kibana"},“res”:{“statusCode”:401,“responseTime”:125,“contentLength”:9},“message”:“POST /api/console/proxy?path=_rollup%2Fjob%2F1&method=PUT 401 125ms - 9.0B”}

Sample Config:

access_control_rules:

 - name: "::MASTER - ADMIN"
   type: allow
  ldap_authentication: "ldap"
   ldap_authorization:
     name: "ldap"
    groups: ["admins"]
   users: ["adminuser"]
   kibana_access: unrestricted

This issue does not seem to be restricted to the unrestricted user. I tried using an api key as well.
The audit logs show a pass with action ACT:cluster:admin/xpack/rollup/put but I get a 401 at the command line using the Elasticsearch python client, requests library or curl.

Hi @rsmith. Thanks for your report. Seems that we don’t handle well this xpack request. Probably there is sth wrong with its modification after processing the request by our ACL. I’m creating a jira to it. Will let you know when it’s fixed.

Thanks. If i come across the other actions I have had trouble with, i’ll let you know.

I also have the same issue with ACT:indices:admin/aliases while trying to perform:

POST _aliases
{
  "actions": [
    {
      "add": {
        "index": "test-index*",
        "alias": "test_index"
      }
    }
  ]
}

Yes this is known issue. ATM I’m working on it. Next week I’ll send you a pre build to test.

@rsmith here is a pre build with aliases problem fixed:

https://readonlyrest-data.s3.amazonaws.com/build/1.22.0-pre3/readonlyrest-1.22.0-pre3_es7.8.0.zip?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIA5SJIWBO54AGBERLX/20200813/eu-west-1/s3/aws4_request&X-Amz-Date=20200813T204741Z&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Signature=af801102244db03b898543f8722b5740e5e90c83475284db5599ff3940054440

Now, I’m working on the main issue from the thread. Should be ready at the beginning of next week.

@rsmith Rollup API is fully supported now by ROR.
You can check it using pre-build:

https://readonlyrest-data.s3.amazonaws.com/build/1.23.0-pre3/readonlyrest-1.23.0-pre3_es7.8.0.zip?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIA5SJIWBO54AGBERLX/20200828/eu-west-1/s3/aws4_request&X-Amz-Date=20200828T203309Z&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Signature=ced1213aca8b026e48d9be77aac96167615f17ba3536050c68976cc550cac0a8

1 Like

@coutoPL What is the release date for the rollup API fix? I have some work due before the end of the month which relies on this fix.

we need to finish one more bugfix and we’ll release. So, probably the release will be this weekend.

@rsmith ROR 1.23.0 is released.