Cannot access ES index management - auto logout


#1

Hi,

I’m trying new version of ES + ROR Pro plugin and I encountered a problem.
When I log in with admin account with full privileges (via LDAP connector), I cannot use some functionality in GUI - like Management / Elasticsearch - Index Management. When I go there, I’ll get redirect to https://<elk_url>/login

I tried the same with admin account, that is local account, not the one via LDAP and everything works just perfect.

Configuration of admin account via LDAP:

 - name: admin
   type: allow
   groups: [ "admin" ]
   indices: [ "*" ]
   kibana_access: admin
 
 - username: admin.ldap
   groups: [ "admin" ]
   ldap_authentication:
     name: "ldap_connector"

Configuration of local admin account:

 - name: Admin
   type: allow
   auth_key_sha256: ****

Kibana log shows some strange behaviour:

{“type”:“log”,"@timestamp":“2019-03-13T08:22:44Z”,“tags”:[“error”,“readonlyrest_kbn”],“pid”:16442,“message”:“got an error [401] Unauthorized for path /api/index_management/indices”}
{“type”:“error”,"@timestamp":“2019-03-13T08:22:44Z”,“tags”:[“error”,“readonlyrest_kbn”],“pid”:16442,“level”:“error”,“error”:{“message”:"[undefined] forbidden",“name”:“Error”,“stack”:"[undefined] forbidden :: {“path”:"/_cat/aliases",“query”:{“format”:“json”},“statusCode”:401,“response”:"{\“error\”:{\“root_cause\”:[{\“reason\”:\“forbidden\”}],\“reason\”:\“forbidden\”},\“status\”:401}",“wwwAuthenticateDirective”:“Basic”}\n at respond (/usr/share/kibana/node_modules/elasticsearch/src/lib/transport.js:308:15)\n at checkRespForFailure (/usr/share/kibana/node_modules/elasticsearch/src/lib/transport.js:267:7)\n at HttpConnector. (/usr/share/kibana/node_modules/elasticsearch/src/lib/connectors/http.js:166:7)\n at IncomingMessage.wrapper (/usr/share/kibana/node_modules/elasticsearch/node_modules/lodash/lodash.js:4935:19)\n at IncomingMessage.emit (events.js:194:15)\n at endReadableNT (_stream_readable.js:1103:12)\n at process._tickCallback (internal/process/next_tick.js:63:19)"},“message”:"[undefined] forbidden"}
{“type”:“log”,"@timestamp":“2019-03-13T08:22:44Z”,“tags”:[“info”,“readonlyrest_kbn”],“pid”:16442,“message”:“Rogue deep link, or has valid credentials but was unauthorized, must have insufficient privileges. Redirecting to logout: /logout”}

Elasticsearch log shows, that there is missing authorization for specific API call:

[2019-03-13T09:28:30,954][INFO ][t.b.r.a.ACL ] [estest01] FORBIDDEN by default req={ ID:311702130-1637722183#29691, TYP:GetAliasesRequest, CGR:N/A, USR:admin.ldap, BRS:false, KDX:null, ACT:indices:admin/aliases/get, OA:127.0.0.1, DA:127.0.0.1, IDX:, MET:GET, PTH:/_cat/aliases?format=json, CNT:<N/A>, HDR:{authorization=, Connection=keep-alive, Host=127.0.0.1:9200, Content-Length=0}, HIS:[Admin->[auth_key_sha256->false]], [admin->[ldap_authentication->true, kibana_access->false]] }

Some version info:

  • elasticsearch - 6.6.1
  • kibana - 6.6.1
  • ROR Elasticsearch plugin - readonlyrest-1.17.2_es6.6.1.zip
  • ROR Kibana plugin - readonlyrest_kbn_pro-1.17.2_es6.6.1.zip

Kibana is behind reverse proxy (Apache).

I’ll be glad if you can take a look at it.


(Simone Scarduzio) #2

Can you drop these two? For now it will do. I will add that action to the list of allowed one for admins.

   kibana_access: admin
   indices: [ "*" ]


#3

Hi @sscarduzio,

thanks for pointing out the problem.
Workaround works fine.

Looking forward for fixed issue.

Thanks.