Hi,
I’m trying new version of ES + ROR Pro plugin and I encountered a problem.
When I log in with admin account with full privileges (via LDAP connector), I cannot use some functionality in GUI - like Management / Elasticsearch - Index Management. When I go there, I’ll get redirect to https://<elk_url>/login
I tried the same with admin account, that is local account, not the one via LDAP and everything works just perfect.
Configuration of admin account via LDAP:
- name: admin
type: allow
groups: [ "admin" ]
indices: [ "*" ]
kibana_access: admin
- username: admin.ldap
groups: [ "admin" ]
ldap_authentication:
name: "ldap_connector"
Configuration of local admin account:
- name: Admin
type: allow
auth_key_sha256: ****
Kibana log shows some strange behaviour:
{“type”:“log”,“@timestamp”:“2019-03-13T08:22:44Z”,“tags”:[“error”,“readonlyrest_kbn”],“pid”:16442,“message”:“got an error [401] Unauthorized for path /api/index_management/indices”}
{“type”:“error”,“@timestamp”:“2019-03-13T08:22:44Z”,“tags”:[“error”,“readonlyrest_kbn”],“pid”:16442,“level”:“error”,“error”:{“message”:“[undefined] forbidden”,“name”:“Error”,“stack”:“[undefined] forbidden :: {"path":"/_cat/aliases","query":{"format":"json"},"statusCode":401,"response":"{\"error\":{\"root_cause\":[{\"reason\":\"forbidden\"}],\"reason\":\"forbidden\"},\"status\":401}","wwwAuthenticateDirective":"Basic"}\n at respond (/usr/share/kibana/node_modules/elasticsearch/src/lib/transport.js:308:15)\n at checkRespForFailure (/usr/share/kibana/node_modules/elasticsearch/src/lib/transport.js:267:7)\n at HttpConnector. (/usr/share/kibana/node_modules/elasticsearch/src/lib/connectors/http.js:166:7)\n at IncomingMessage.wrapper (/usr/share/kibana/node_modules/elasticsearch/node_modules/lodash/lodash.js:4935:19)\n at IncomingMessage.emit (events.js:194:15)\n at endReadableNT (_stream_readable.js:1103:12)\n at process._tickCallback (internal/process/next_tick.js:63:19)”},“message”:“[undefined] forbidden”}
{“type”:“log”,“@timestamp”:“2019-03-13T08:22:44Z”,“tags”:[“info”,“readonlyrest_kbn”],“pid”:16442,“message”:“Rogue deep link, or has valid credentials but was unauthorized, must have insufficient privileges. Redirecting to logout: /logout”}
Elasticsearch log shows, that there is missing authorization for specific API call:
[2019-03-13T09:28:30,954][INFO ][t.b.r.a.ACL ] [estest01] FORBIDDEN by default req={ ID:311702130-1637722183#29691, TYP:GetAliasesRequest, CGR:N/A, USR:admin.ldap, BRS:false, KDX:null, ACT:indices:admin/aliases/get, OA:127.0.0.1, DA:127.0.0.1, IDX:, MET:GET, PTH:/_cat/aliases?format=json, CNT:<N/A>, HDR:{authorization=, Connection=keep-alive, Host=127.0.0.1:9200, Content-Length=0}, HIS:[Admin->[auth_key_sha256->false]], [admin->[ldap_authentication->true, kibana_access->false]] }
Some version info:
- elasticsearch - 6.6.1
- kibana - 6.6.1
- ROR Elasticsearch plugin - readonlyrest-1.17.2_es6.6.1.zip
- ROR Kibana plugin - readonlyrest_kbn_pro-1.17.2_es6.6.1.zip
Kibana is behind reverse proxy (Apache).
I’ll be glad if you can take a look at it.