@Sinedko I’ve checked the configuration from first post and this is my analysis:
Here is my indices:
> curl -k -u elastic:test "http://127.0.0.1:9200/_cat/indices"
yellow open index1 DC8Oy5P0QaCql0wWLqq6NA 1 1 1 0 2.9kb 2.9kb
yellow open logs_20200202 3O2VThwHQ02Mw_VoIa6RXw 1 1 1 0 2.8kb 2.8kb
yellow open alibaba1 EUpbcPz-S_GaF2ZnMNqORw 1 1 1 0 2.8kb 2.8kb
yellow open logs_20200201 daoSFCFeQBCulOCSQixfBA 1 1 1 0 2.8kb 2.8kb
yellow open index2 tC8dHVLrQwiPEZzMpINHYA 1 1 1 0 2.9kb 2.9kb
Now, I use “alibaba” user to cat indices:
> curl -k -u alibaba:test "http://127.0.0.1:9200/_cat/indices"
yellow open alibaba1 EUpbcPz-S_GaF2ZnMNqORw 1 1 1 0 2.9kb 2.9kb
So, this is the thing you have reported. Alibaba sees only “alibaba*” indices. Let’s check why:
[2020-09-19T17:24:07,481][DEBUG][t.b.r.a.b.r.AuthKeyRule ] [n1_it] Attempting Login as: alibaba rc: 1665959920--708848282#246
[2020-09-19T17:24:07,482][DEBUG][t.b.r.a.b.r.AuthKeyRule ] [n1_it] Attempting Login as: alibaba rc: 1665959920--708848282#246
[2020-09-19T17:24:07,483][DEBUG][t.b.r.a.b.Block ] [n1_it] [Super user access] the request matches no rules in this block: { ID:1665959920--708848282#246, TYP:GetSettingsRequest, CGR:N/A, USR:alibaba (attempted), BRS:true, KDX:null, ACT:indices:monitor/settings/get, OA:127.0.0.1/32, XFF:null, DA:127.0.0.1/32, IDX:*, MET:GET, PTH:/_cat/indices, CNT:<N/A>, HDR:Accept=*/*, Authorization=<OMITTED>, Host=127.0.0.1:9200, User-Agent=curl/7.64.1, content-length=0, HIS:[Super user access-> RULES:[groups->false], RESOLVED:[indices=*]] }
[2020-09-19T17:24:07,484][DEBUG][t.b.r.a.b.Block ] [n1_it] [All ro access] the request matches no rules in this block: { ID:1665959920--708848282#246, TYP:GetSettingsRequest, CGR:N/A, USR:alibaba (attempted), BRS:true, KDX:null, ACT:indices:monitor/settings/get, OA:127.0.0.1/32, XFF:null, DA:127.0.0.1/32, IDX:*, MET:GET, PTH:/_cat/indices, CNT:<N/A>, HDR:Accept=*/*, Authorization=<OMITTED>, Host=127.0.0.1:9200, User-Agent=curl/7.64.1, content-length=0, HIS:[All ro access-> RULES:[groups->false], RESOLVED:[indices=*]] }
[2020-09-19T17:24:07,484][DEBUG][t.b.r.a.b.r.AuthKeyRule ] [n1_it] Attempting Login as: alibaba rc: 1665959920--708848282#246
[2020-09-19T17:24:07,484][DEBUG][t.b.r.a.b.r.ActionsRule ] [n1_it] This request uses the action 'indices:monitor/settings/get' and none of them is on the list.
[2020-09-19T17:24:07,485][DEBUG][t.b.r.a.b.Block ] [n1_it] [Kibana rw access] the request matches no rules in this block: { ID:1665959920--708848282#246, TYP:GetSettingsRequest, CGR:N/A, USR:alibaba (attempted), BRS:true, KDX:null, ACT:indices:monitor/settings/get, OA:127.0.0.1/32, XFF:null, DA:127.0.0.1/32, IDX:*, MET:GET, PTH:/_cat/indices, CNT:<N/A>, HDR:Accept=*/*, Authorization=<OMITTED>, Host=127.0.0.1:9200, User-Agent=curl/7.64.1, content-length=0, HIS:[Kibana rw access-> RULES:[groups->true, actions->false], RESOLVED:[user=alibaba;group=kibanarw;av_groups=kibanarw;indices=*]] }
[2020-09-19T17:24:07,486][DEBUG][t.b.r.a.b.Block ] [n1_it] [Kibana ro access] the request matches no rules in this block: { ID:1665959920--708848282#246, TYP:GetSettingsRequest, CGR:N/A, USR:alibaba (attempted), BRS:true, KDX:null, ACT:indices:monitor/settings/get, OA:127.0.0.1/32, XFF:null, DA:127.0.0.1/32, IDX:*, MET:GET, PTH:/_cat/indices, CNT:<N/A>, HDR:Accept=*/*, Authorization=<OMITTED>, Host=127.0.0.1:9200, User-Agent=curl/7.64.1, content-length=0, HIS:[Kibana ro access-> RULES:[groups->false], RESOLVED:[indices=*]] }
[2020-09-19T17:24:07,486][DEBUG][t.b.r.a.b.r.AuthKeyRule ] [n1_it] Attempting Login as: alibaba rc: 1665959920--708848282#246
[2020-09-19T17:24:07,486][DEBUG][t.b.r.a.b.Block ] [n1_it] [Logs all access] the request matches no rules in this block: { ID:1665959920--708848282#246, TYP:GetSettingsRequest, CGR:N/A, USR:alibaba (attempted), BRS:true, KDX:null, ACT:indices:monitor/settings/get, OA:127.0.0.1/32, XFF:null, DA:127.0.0.1/32, IDX:*, MET:GET, PTH:/_cat/indices, CNT:<N/A>, HDR:Accept=*/*, Authorization=<OMITTED>, Host=127.0.0.1:9200, User-Agent=curl/7.64.1, content-length=0, HIS:[Logs all access-> RULES:[groups->false], RESOLVED:[indices=*]] }
[2020-09-19T17:24:07,487][DEBUG][t.b.r.a.b.r.AuthKeyRule ] [n1_it] Attempting Login as: alibaba rc: 1665959920--708848282#246
[2020-09-19T17:24:07,487][DEBUG][t.b.r.a.b.r.ActionsRule ] [n1_it] This request uses the action 'indices:monitor/settings/get' and none of them is on the list.
[2020-09-19T17:24:07,487][DEBUG][t.b.r.a.b.Block ] [n1_it] [Logs ro access] the request matches no rules in this block: { ID:1665959920--708848282#246, TYP:GetSettingsRequest, CGR:N/A, USR:alibaba (attempted), BRS:true, KDX:null, ACT:indices:monitor/settings/get, OA:127.0.0.1/32, XFF:null, DA:127.0.0.1/32, IDX:*, MET:GET, PTH:/_cat/indices, CNT:<N/A>, HDR:Accept=*/*, Authorization=<OMITTED>, Host=127.0.0.1:9200, User-Agent=curl/7.64.1, content-length=0, HIS:[Logs ro access-> RULES:[groups->true, actions->false], RESOLVED:[user=alibaba;group=logsro;av_groups=logsro;indices=*]] }
[2020-09-19T17:24:07,488][DEBUG][t.b.r.a.b.r.AuthKeyRule ] [n1_it] Attempting Login as: alibaba rc: 1665959920--708848282#246
[2020-09-19T17:24:07,488][DEBUG][t.b.r.a.b.r.IndicesRule ] [n1_it] [1665959920--708848282#246] Checking - none or all indices ...
[2020-09-19T17:24:07,489][DEBUG][t.b.r.a.b.Block ] [n1_it] matched { name: 'Alibaba all access', policy: ALLOW, rules: [groups,actions,indices] { found: user=alibaba;group=alibaba;av_groups=alibaba;indices=alibaba1 }
[2020-09-19T17:24:07,490][INFO ][t.b.r.a.l.AccessControlLoggingDecorator] [n1_it] ALLOWED by { name: 'Alibaba all access', policy: ALLOW, rules: [groups,actions,indices] req={ ID:1665959920--708848282#246, TYP:GetSettingsRequest, CGR:N/A, USR:alibaba, BRS:true, KDX:null, ACT:indices:monitor/settings/get, OA:127.0.0.1/32, XFF:null, DA:127.0.0.1/32, IDX:*, MET:GET, PTH:/_cat/indices, CNT:<N/A>, HDR:Accept=*/*, Authorization=Basic YWxpYmFiYTp0ZXN0, Host=127.0.0.1:9200, User-Agent=curl/7.64.1, content-length=0, HIS:[Super user access-> RULES:[groups->false], RESOLVED:[indices=*]], [All ro access-> RULES:[groups->false], RESOLVED:[indices=*]], [Kibana rw access-> RULES:[groups->true, actions->false], RESOLVED:[user=alibaba;group=kibanarw;av_groups=kibanarw;indices=*]], [Kibana ro access-> RULES:[groups->false], RESOLVED:[indices=*]], [Logs all access-> RULES:[groups->false], RESOLVED:[indices=*]], [Logs ro access-> RULES:[groups->true, actions->false], RESOLVED:[user=alibaba;group=logsro;av_groups=logsro;indices=*]], [Alibaba all access-> RULES:[groups->true, actions->true, indices->true], RESOLVED:[user=alibaba;group=alibaba;av_groups=alibaba;indices=alibaba1]] }
Logs show that “Logs ro access” block was rejected because actions
rule was not matched, because action “indices:monitor/settings/get” was not on the list.
Next block “Alibaba all access” was matched and indices list was narrowed to alibaba*
indices only.
When we modify the ROR configuration like that:
- name: Logs ro access
type: allow
groups: ["logsro"]
indices: ["logs*",".monitoring*"]
actions: ["indices:monitor/settings/get", "indices:data/read/*", "cluster:monitor/state", "indices:admin/get", "indices:admin/mappings/fields/get", "indices:admin/mappings/get", "indices:admin/aliases/get", "indices:admin/template/get"]
we will see:
> curl -k -u alibaba:test "http://127.0.0.1:9200/_cat/indices"
yellow open logs_20200202 3O2VThwHQ02Mw_VoIa6RXw 1 1 1 0 2.9kb 2.9kb
yellow open logs_20200201 daoSFCFeQBCulOCSQixfBA 1 1 1 0 2.9kb 2.9kb
But AFAIU the result is not also the one you expect. If you would like to see logs*, monitoring* and alibaba* indices, you have to put them inside the same block. ROR stops at the first matched block.
Or maybe I missed sth?