_cat/indices not working again

Hello all,

It looks like that there is again the bug with _cat/indices

there is my readonlyrest.yml

readonlyrest:
  access_control_rules:
  - name: Super user access
    verbosity: error
    type: allow
    groups: ["superuser"]
    indices: ["*"]
    actions: ["*"]

  - name: All ro access
    type: allow
    groups: ["allro"]
    indices: ["*"]
    actions: ["indices:data/read/*", "cluster:monitor/state", "indices:admin/get", "indices:admin/mappings/fields/get", "indices:admin/mappings/get", "indices:admin/aliases/get", "indices:admin/template/get"]

  - name: Kibana rw access
    type: allow
    groups: ["kibanarw"]
    indices: [".kibana*"]
    actions: ["indices:data/read/*","indices:data/write/*"]
  
  - name: Kibana ro access
    type: allow
    groups: ["kibanaro"]
    indices: [".kibana*"]
    actions: ["indices:data/read/*"]

  - name: Logs all access
    verbosity: error
    type: allow
    groups: ["logs"]
    indices: ["logs*"]
    actions: ["*"]

  - name: Logs ro access
    type: allow
    groups: ["logsro"]
    indices: ["logs*",".monitoring*"]
    actions: ["indices:data/read/*", "cluster:monitor/state", "indices:admin/get", "indices:admin/mappings/fields/get", "indices:admin/mappings/get", "indices:admin/aliases/get", "indices:admin/template/get"]

  - name: Alibaba all access
    type: allow
    groups: ["alibaba"]
    indices: ["alibaba*"]
    actions: ["*"]

users:
- username: elastic
  auth_key_unix: ${ELASTIC_USER}
  groups: ["superuser"]

- username: kibana
  auth_key_unix: ${KIBANA_USER}
  groups: ["superuser"]

- username: logstash
  auth_key_unix: ${LOGSTASH_USER}
  groups: ["logs"]

- username: alibaba
  auth_key_unix: ${ALIBABA_USER}
  groups: ["alibaba", "kibanarw", "logsro"]

obfuscated_headers: ["x-auth-key", "authorization"]

ssl:
keystore_file: "keystore.jks"
keystore_pass: "${PKCS12_PASSWORD}"
key_pass: "${PKCS12_PASSWORD}"
truststore_file: "truststore.jks"
truststore_pass: "${PKCS12_PASSWORD}"

ssl_internode:
keystore_file: "keystore.jks"
keystore_pass: "${PKCS12_PASSWORD}"
key_pass: "${PKCS12_PASSWORD}"
truststore_file: "truststore.jks"
truststore_pass: "${PKCS12_PASSWORD}"
certificate_verification: true
client_authentication: false

Problem is if the alibaba user will execute cat/indices from kibana, he will only see the alibaba* indices, and he should see also the logs* and .monitoring indices.

In past it was working great, but somehow its now bugged, user is able to see those indices when he tried to _search or he can see it from dashboard from index pattern, but not in _cat/indices.

I’m using the 7.7.1 elasticsearch with 1.20.0 ror, but this issue was also in es 7.7.0 ror 1.19.5, i started to develop cluster on that version, it was working well from start and after a while the issue appeared.

Can you please investigate ?

Thanks !

Regards,
Denis.

could you please share the ES log which shows which block was matched by _cat/indices request?

Here it is:

[2020-07-13T16:06:12,578][INFO ][tech.beshu.ror.accesscontrol.logging.AccessControlLoggingDecorator] [alibaba-ire-all-01] [36mALLOWED by { name: 'Alibaba all access', policy: ALLOW, rules: [groups,actions,indices] req={ ID:327866964--2068283520#70031, TYP:GetSettingsRequest, CGR:N/A, USR:alibaba, BRS:false, KDX:null, ACT:indices:monitor/settings/get, OA:XXXX, XFF:x-forwarded-for=XXXX, DA:XXXX, IDX:*, MET:GET, PTH:/_cat/indices, CNT:<N/A>, HDR:Authorization=<OMITTED>, Connection=close, content-length=0, content-type=application/json, host=XXXX, x-forwarded-for=XXXX, x-forwarded-host=XXXX:5601, x-forwarded-port=60452, x-forwarded-proto=https, x-ror-kibana-request-method=post, x-ror-kibana-request-path=/api/console/proxy, HIS:[Super user access-> RULES:[groups->false], RESOLVED:[indices=*]], [All ro access-> RULES:[groups->false], RESOLVED:[indices=*]], [Kibana rw access-> RULES:[groups->true, actions->false], RESOLVED:[user=alibaba;group=kibanarw;av_groups=kibanarw;indices=*]], [Kibana ro access-> RULES:[groups->false], RESOLVED:[indices=*]], [Logs all access-> RULES:[groups->false], RESOLVED:[indices=*]], [Logs ro access-> RULES:[groups->true, actions->false], RESOLVED:[user=alibaba;group=logsro;av_groups=logsro;indices=*]], [Alibaba all access-> RULES:[groups->true, actions->true, indices->true], RESOLVED:[user=alibaba;group=alibaba;av_groups=alibaba;indices=alibaba_backend_demo]] }[0m

could you also show logs for the request which works well according to your first post?

unfortunately not, i didnt have logging implemented that time, so its not stored :confused:

I thought about logging the _search or index pattern request. This is weird for me that these two work as expected but _cat/indices not.

No idea why this being resolved with kibanarw group, when i used this

GET logs-2020-07-13/_search

There is access log:

[2020-07-13T18:33:51,487][INFO ][tech.beshu.ror.accesscontrol.logging.AccessControlLoggingDecorator] [alibaba-ire-all-01] [36mALLOWED by { name: 'Kibana rw access', policy: ALLOW, rules: [groups,actions,indices] req={ ID:1600902828--1037864470#140443, TYP:SubmitAsyncSearchRequest, CGR:N/A, USR:alibaba, BRS:false, KDX:null, ACT:indices:data/read/async_search/submit, OA:XXXX, XFF:null, DA:XXXX, IDX:<N/A>, MET:POST, PTH:/logs*/_async_search, CNT:<OMITTED, LENGTH=708.0 B> , HDR:Authorization=<OMITTED>, Connection=keep-alive, Content-Length=708, Host=XXXX, content-type=application/json, x-ror-kibana-request-method=post, x-ror-kibana-request-path=/internal/search/es, HIS:[Super user access-> RULES:[groups->false]], [All ro access-> RULES:[groups->false]], [Kibana rw access-> RULES:[groups->true, actions->true, indices->true], RESOLVED:[user=alibaba;group=kibanarw;av_groups=kibanarw]] }[0m

I have verbosity:error on that logsro, because it was generating too much logs, let me turn this on and the log is:

[2020-07-13T18:42:11,210][INFO ][tech.beshu.ror.accesscontrol.logging.AccessControlLoggingDecorator] [alibaba-ire-all-01] [36mALLOWED by { name: 'Logs ro access', policy: ALLOW, rules: [groups,actions,indices] req={ ID:586214041-1455909269#444, TYP:SearchRequest, CGR:N/A, USR:alibaba, BRS:false, KDX:null, ACT:indices:data/read/search, OA:XXXX, XFF:x-forwarded-for=XXXX, DA:XXXX, IDX:logs-2020.07.13, MET:GET, PTH:/logs-2020.07.13/_search, CNT:<N/A>, HDR:Authorization=<OMITTED>, Connection=close, content-length=0, content-type=application/json, host=XXXX, x-forwarded-for=XXXX, x-forwarded-host=XXXX, x-forwarded-port=49442, x-forwarded-proto=https, x-ror-kibana-request-method=post, x-ror-kibana-request-path=/api/console/proxy, HIS:[Super user access-> RULES:[groups->false], RESOLVED:[indices=logs-2020.07.13]], [All ro access-> RULES:[groups->false], RESOLVED:[indices=logs-2020.07.13]], [Kibana rw access-> RULES:[groups->true, actions->true, indices->false], RESOLVED:[user=alibaba;group=kibanarw;av_groups=kibanarw;indices=logs-2020.07.13]], [Kibana ro access-> RULES:[groups->false], RESOLVED:[indices=logs-2020.07.13]], [Logs all access-> RULES:[groups->false], RESOLVED:[indices=logs-2020.07.13]], [Logs ro access-> RULES:[groups->true, actions->true, indices->true], RESOLVED:[user=alibaba;group=logsro;av_groups=logsro;indices=logs-2020.07.13]] }[0m

ok, this is strange. I’ll have to check it. But I’m not sure is I was able to do it this week.

sure, let me know if you find something

Hello there, is there any update regarding to this ?