Cannot Use Dev Tools in Kibana

MarcusCaepio · October 24, 2017, 11:21am

Hi All,
ROR Version 1.16.11
So I have following ACLs:

access_control_rules:
    - name: "::KIBANA-SRV::"
      auth_key: kibana:xxx
      verbosity: error
    - name: "::LOGSTASH::"
      auth_key: logstash:xxx
      actions: ["cluster:monitor/main","indices:admin/types/exists","indices:data/read/*","indices:data/write/*","indices:admin/template/*","indices:admin/create"]
    - name: "::LDAP::"
      kibana_access: rw
      proxy_auth:
        proxy_auth_config: "proxy"
        users: ["*"]
      ldap_authorization:
        name: "ldap"                                       # ldap name from below 'ldaps' section
        groups: ["test"]

I can:

Access Kibana via Proxy Auth Header
Access/Restrict Indices via LDAP Groups

But I cannot:

use the Dev Tools in Kibana to e.g. create a new Index:
I get a forbidden in the logs although I set kibana_access: admin
I think, it is because of kibana_access: false in the log

What am I doing wrong?

Log:

FORBIDDEN by default req={ ID:1836091209-472991067#44, TYP:IndexRequest, CGR:N/A, USR:test.user, BRS:false, ACT:indices:data/write/index, OA:1.2.3.4, IDX:blabla, MET:POST, PTH:/blabla/log/1, CNT:<OMITTED, LENGTH=22>, HDR: xxx HIS:[::KIBANA-SRV::->[auth_key->false]], [::LOGSTASH::->[auth_key->false]], [::LDAP::->[kibana_access->false, proxy_auth->true]] }

All successfull tasks got:
ldap_authorization->true, kibana_access->true, proxy_auth->true

Regards,
Marcus

MarcusCaepio · October 24, 2017, 11:56am

Fixed this for me.
So what I see is:

If I don’t set the kibana_access parameter at all, this group seems to be have all access (which is fine for me)
@sscarduzio What happens in Pro/Enterprise Version, when I have not set a kibana_access level? Will this group nevertheless have the option to use the kibana ROR app?

sscarduzio · October 27, 2017, 9:05pm

kibana_access with whatever value considerably limits what a user/group can do. That is, it restricts to the bare minimum actions that Kibana is able to perform via its UI (excluded dev tools).

If you plan to use dev tools, then you might as well omit the kibana_access as you did. By doing so, you will have omnipotent users towards the ES HTTP API.

In PRO/Enterprise this works the same.