Can`t use UI for creation templates

andrii.yermakov · November 14, 2023, 5:30pm

Hello, I setup several access rules in readonlyrest.yml and one of them is to forbid to see some indexes.
Now the user from that group cannot see any indices or templates via UI (Index Management).
Via Dev Tools I can see only that indexes and templates that I can access to, when use something as GET indexwithaccess
or
GET _cat/indices/indexwithaccess

the same situation with templates. It is OK. But user interface is more comfortable.

Is there any additional “actions” or some permission exist to create/edit templates via UI?

Thanks in advance.

coutoPL · November 14, 2023, 6:51pm

Hi,

here you find all ES actions: https://github.com/beshu-tech/readonlyrest-docs/blob/master/actionstrings/action_strings_es8.9.2.txt

AFAIK, template actions are the same in the case of using UI and ES API directly (underlying, Kibana calls ES API).

We will probably be able to say more when you show us your ROR ACL

andrii.yermakov · November 17, 2023, 5:24pm

I have the following ACLs:

      - name: "local user: elasticsearch"
        type: allow
        auth_key_sha256: {{ (printf "%s:%s" .Values.credentials.local.elasticsearch_user .Values.credentials.local.elasticsearch_password) | sha256sum }}

      - name: "local user: kibana"
        kibana:
          access: unrestricted
        type: allow
        auth_key_sha256: {{ (printf "%s:%s" .Values.credentials.local.kibana_user .Values.credentials.local.kibana_password) | sha256sum }}

      - name: "local user: logstash"
        type: allow
        auth_key_sha256: {{ (printf "%s:%s" .Values.credentials.local.logstash_user .Values.credentials.local.logstash_password) | sha256sum }}
      
      - name: "disable indexes for kibana users"
        type: forbid
        verbosity: error
        indices: 
          patterns: ["kubernetes-logs-*", "jenkins-*", "filebeat-*", "vault-audit-*"]
          must_involve_indices: true
        proxy_auth:
          proxy_auth_config: "proxy"
          users: ["*"]
        ldap_authorization:
          name: "ldap"
          groups: ["stg-log-users","stg-log-admins"]

      - name: "enable index mstr for kibana users (filter ro requests)"
        kibana:
          access: "ro"
        verbosity: error
        indices: ["mstr-*"]
        proxy_auth:
          proxy_auth_config: "proxy"
          users: ["*"]
        ldap_authorization:
          name: "ldap"
          groups: ["stg-log-mstr"]

      - name: "enable index mstr for kibana users (allow remaining requests)"
        kibana:
          access: "rw"
        verbosity: error
        indices: [".kibana*"]
        proxy_auth:
          proxy_auth_config: "proxy"
          users: ["*"]
        ldap_authorization:
          name: "ldap"
          groups: ["stg-log-mstr"]

      - name: "kibana admins"
        kibana:
          access: "unrestricted"
        proxy_auth:
          proxy_auth_config: "proxy"
          users: ["*"]
        ldap_authorization:
          name: "ldap"
          groups: ["stg-log-admins"]     

      - name: "kibana users"
        kibana:
          access: "ro"
        verbosity: error
        proxy_auth:
          proxy_auth_config: "proxy"
          users: ["*"]
        ldap_authorization:
          name: "ldap"
          groups: ["stg-log-users"]

      - name: "kibana system"
        kibana:
          access: "unrestricted"
        proxy_auth:
          proxy_auth_config: "proxy"
          users: ["*"]
        ldap_authorization:
          name: "ldap"
          groups: ["stg-log-system"]

      - name: "domain admins"
        kibana:
          access: "unrestricted"
        proxy_auth:
          proxy_auth_config: "proxy"
          users: ["*"]
        ldap_authorization:
          name: "ldap"
          groups: ["Domain Admins"]

And the rule “disable indexes for kibana users” restricts access for users from “stg-log-admins” group to see some indexes. Although this group has unrestricted permissions - the user can’t create the template from the UI (Stack Management → Index Management → Index Templates) due to ROR forbidden rule.
The user can create the template and view templates that not related to the forbidden indexes via Dev Tools, but can’t do it via UI.
So, the question - does it possible?

coutoPL · November 21, 2023, 7:32pm

I’m not sure if I understand your need exactly.
Do you mean, that you want to forbid the creation of templates via Kibana’s UI but at the same time, the user should be able to do this using ES API directly?

andrii.yermakov · November 21, 2023, 8:09pm

Not exact.
For ex., some indexes are forbidden for the user.
He can create new indexes, templates, etc. via Dev Tools (or ES API), also he cannot see any indexes and templates via Dev Tools that are forbidden for him. It is OK.
But he cannot see indexes and cannot see or create the new templates via Kibana UI (Stack Management → Index Management). This is a possibility that I am looking for.

coutoPL · November 21, 2023, 8:37pm

So, if your user cannot do that at the moment (I mean, creating the new template using Kibana UI), you should be able to see some FORBIDDEN log in the ES logs. Are you able to find one and show it to us?

andrii.yermakov · November 22, 2023, 11:01am

Sure

{"@timestamp":"2023-11-22T10:53:34.741Z", "log.level": "INFO", "message":"\u001B[35mFORBIDDEN by { name: 'disable indexes for kibana users', policy: FORBID, rules: [proxy_auth,ldap_authorization,indices] req={ ID:573456017-1779307375#47599, TYP:GetIndexTemplatesRequest, CGR:stg-log-admins, USR:testuser, BRS:true, KDX:null, ACT:indices:admin/template/get, OA:10.244.170.22/32, XFF:10.244.245.2, DA:10.244.101.98/32, IDX:<N/A>, MET:GET, PTH:/_template, CNT:<N/A>, HDR:Accept-Charset=utf-8, Authorization=<OMITTED>, Host=stg-elasticsearch-elk:9200, accept=application/vnd.elasticsearch+json; compatible-with=8,text/plain, connection=close, content-length=0, cookie=_lfa=LF1.1.abd9d1c8d158012c.1660730056916; ajs_anonymous_id=%22b5ec835f-695a-4ce0-a53c-677b05cde6dc%22; __hssrc=1; fs_uid=#VZSWZ#c3140c70-66aa-4771-9780-0252308e834d:390cd91b-45ba-4f8c-b347-3f366ada40d9:1691657100920::1#/1723132111, elastic-apm-traceparent=00-69016b5662c3adfa62121680c603b207-0ebb9eb3ebe42bb1-00, traceparent=00-69016b5662c3adfa62121680c603b207-0ebb9eb3ebe42bb1-00, tracestate=es=s:0, user-agent=Kibana/8.7.1, x-elastic-client-meta=es=8.6.0p,js=16.19.1,t=8.3.1,hc=16.19.1, x-elastic-product-origin=kibana, x-forwarded-for=10.244.245.2, x-forwarded-user=testuser, x-opaque-id=unknownId, x-ror-correlation-id=ba0c270b-cc44-4ee7-9934-942f018f036e, x-ror-kibana-request-method=get, x-ror-kibana-request-path=/s/default/api/index_management/index_templates, HIS:[local user: elasticsearch-> RULES:[auth_key_sha256->false] RESOLVED:[template=GET(*)]], [local user: kibana-> RULES:[auth_key_sha256->false] RESOLVED:[template=GET(*)]], [local user: logstash-> RULES:[auth_key_sha256->false] RESOLVED:[template=GET(*)]], [disable indexes for kibana users-> RULES:[proxy_auth->true, ldap_authorization->true, indices->true] RESOLVED:[user=testuser;group=stg-log-admins;av_groups=stg-log-admins;template=GET(default)]], }\u001B[0m", "ecs.version": "1.2.0","service.name":"ES_ECS","event.dataset":"elasticsearch.server","process.thread.name":"scala-execution-context-global-41","log.logger":"tech.beshu.ror.accesscontrol.logging.AccessControlLoggingDecorator","elasticsearch.cluster.uuid":"kF-zmkw6Q4GCtIrRUts6wQ","elasticsearch.node.id":"ruvx8uWgQmi0k1G03xmqsA","elasticsearch.node.name":"stg-elasticsearch-elk-0","elasticsearch.cluster.name":"stg-elasticsearch"}

I suspect it is due to the UI tab for creation templates includes all templates (with forbidden also) and because I am not able see some templates that’s why I cannot get in this UI tab.

coutoPL · November 22, 2023, 7:21pm

Thanks. I will have to think about it a little bit. When I finish one of the enterprise customer priority tasks, I will get back to you.