Configuration example for jwt multi tenancy

Hi
Does there exist a example configuration for multi tenancy with jwt?

I have an existing ELK-stack instance running without ROR, and want to install ROR. I can get it to work fine without multi tenancy, but I am confused as to how you set up multi tenancy.

I have congigured it so that all users have access to the existing .kibana index (seems to be stored as .kibana_1 .kibana_2 .kibana_3 etc) with different access levels. In addition I want to achieve that users with rw-acces to also be able to switch to a private tenancy which only they can use. So they would have a dropdown with the tenancies available to them (the default .kibana index and a private tanancy). How can I achieve this? Would be great if there is some example configuration I can look at.

Here’s my non-multi-tenancy configuration:
readonlyrest:

access_control_rules:
- name: "::KIBANA-SRV::"
  auth_key: kibana:kibana
  verbosity: error

- name: "::ADMIN_BP::"
  kibana_access: admin
  jwt_auth:
    name: "webseal"
    roles: ["kibana_admin"]

- name: "::RW_BP::"
  kibana_access: rw
  jwt_auth:
    name: "webseal"
    roles: ["kibana_user"]

- name: "::RO_BP::"
  kibana_access: ro
  kibana_hide_apps: ["readonlyrest_kbn", "kibana:visualize", "canvas", "apps", "ml", "infra:infrastructure","infra:logs", "apm", "uptime", "siem", "kibana:dev_tools", "monitoring", "kibana:management"]
  jwt_auth:
    name: "webseal"
    roles: ["kibana_readonly"]

jwt:
- name: webseal
  signature_algo: RSA
  signature_key: "MY_KEY"
  user_claim: sub
  roles_claim: groups
  header_name: jwt

Thanks

Hello @anon39196365, great question!

The solution to your problem should look like this:

readonlyrest:
 access_control_rules:
 - name: "::KIBANA-SRV::"
   auth_key: kibana:kibana
   verbosity: error

 - name: "::ADMIN_BP::"
   kibana_access: admin
   jwt_auth:
    name: "webseal"
    roles: ["kibana_admin"]

 - name: "::RW_BP::"
   kibana_access: rw
   jwt_auth:
    name: "webseal"
    roles: ["kibana_user"]

 - name: "::RW_BP (personal)::"  #<--- added this block
   kibana_access: rw
   kibana_index: ."kibana_rw_bp_@{user}" # <-- dynamic variable
   jwt_auth:
    name: "webseal"
    roles: ["kibana_user"]

- name: "::RO_BP::"
  kibana_access: ro
  kibana_hide_apps: ["readonlyrest_kbn", "kibana:visualize", "canvas", "apps", "ml", "infra:infrastructure","infra:logs", "apm", "uptime", "siem", "kibana:dev_tools", "monitoring", "kibana:management"]
  jwt_auth:
    name: "webseal"
    roles: ["kibana_readonly"]
1 Like

Hi

This does not seem to work. I do not see any multi tenancy selector when logged in to kibana.
Is there anything else that needs to be configured?

OS: Windows Server 2016
ELK version: 7.2.0
ROR Elasticsearch: readonlyrest-1.18.4_es7.2.0
ROR Kibana: readonlyrest_kbn_enterprise-1.18.5-pre13_es7.2.0

Screenshot from kibana

Elasticsearch log allowed request

[2019-08-26T11:03:35,297][INFO ][t.b.r.a.l.AclLoggingDecorator] [U-114-270-028-ROR] ALLOWED by { name: '::ADMIN_BP::', p
olicy: ALLOW, rules: [jwt_auth,kibana_access,indices] req={  ID:1166174822-738288830#2047,  TYP:GetIndexTemplatesRequest
,  CGR:Role_kibana_admin_blueprism,  USR:G019496,  BRS:false,  KDX:null,  ACT:indices:admin/template/get,  OA:172.16.111
.87/32,  XFF:x-forwarded-for=139.113.87.153,  DA:172.16.111.87/32,  IDX:<N/A>,  MET:GET,  PTH:/_template?pretty,  CNT:<N
/A>,  HDR:Connection=close, content-length=0, host=u-114-270-028:9210, jwt=Bearer <MY TOKEN>, x-forwarded-for=1
39.113.87.153, x-forwarded-host=139.113.87.153:5610, x-forwarded-port=55346, x-forwarded-proto=http, x-ror-current-group
=Role_kibana_admin_blueprism, x-ror-kibana-request-method=post, x-ror-kibana-request-path=/api/console/proxy,  HIS:[::TE
ST::-> RULES:[auth_key->false], RESOLVED:[group=Role_kibana_admin_blueprism]], [::LOGSTASH::-> RULES:[auth_key_sha256->f
alse], RESOLVED:[group=Role_kibana_admin_blueprism]], [::KIBANA-SRV::-> RULES:[auth_key_sha256->false], RESOLVED:[group=
Role_kibana_admin_blueprism]], [::ADMIN_BP::-> RULES:[jwt_auth->true, kibana_access->true, indices->true], RESOLVED:[use
r=G019496;group=Role_kibana_admin_blueprism;av_groups=Role_kibana_admin_blueprism;response_hdr=x-ror-kibana_access=admin
]]  }

readonlyrest.yml

readonlyrest:

    access_control_rules:
    - name: "::LOGSTASH::"
      auth_key_sha256: <MY LOGSTASH CREDENTIALS>
      actions: ["indices:data/read/*","indices:data/write/*","indices:admin/template/*","indices:admin/create"]
      indices: ["queueitems-*", "sessions-*", "resources-*", "queues-*"]

    - name: "::KIBANA-SRV::"
      auth_key_sha256: <MY KIBANA CREDENTIALS>
      verbosity: error

    - name: "::ADMIN_BP::"
      indices: ["queueitems-*", "sessions-*", "resources-*", "queues-*", ".kibana", ".monitoring*", ".reporting*", ".tasks*", ".kibana_task*",".readonlyrest", "kibana_sample*"]
      kibana_access: admin
      jwt_auth:
        name: "webseal"
        roles: ["Role_kibana_admin_blueprism"]

    - name: "::RW_BP::"
      kibana_access: rw
      indices: ["queueitems-*", "sessions-*", "resources-*", "queues-*", ".kibana", ".monitoring*", ".reporting*", ".tasks*", ".kibana_task*", "kibana_sample*"]
      kibana_hide_apps: ["readonlyrest_kbn"]
      jwt_auth:
        name: "webseal"
        roles: ["Role_kibana_readwrite_blueprism"]

    - name: "::RW_BP (personal)::"
      kibana_access: rw
      indices: ["queueitems-*", "sessions-*", "resources-*", "queues-*", ".kibana_personal_bp_@{user}", ".monitoring*", ".reporting*", ".tasks*", ".kibana_task*","@{user}-*", "kibana_sample*"]
      kibana_index: ".kibana_personal_bp_@{user}"
      kibana_hide_apps: ["readonlyrest_kbn"]
      jwt_auth:
        name: "webseal"
        roles: ["Role_kibana_readwrite_blueprism", "Role_kibana_admin_blueprism"]

    - name: "::RO_BP::"
      kibana_access: ro
      indices: ["queueitems-*", "sessions-*", "resources-*", "queues-*", ".kibana", "kibana_sample*"]
      kibana_hide_apps: ["readonlyrest_kbn", "kibana:visualize", "canvas", "apps", "ml", "infra:infrastructure","infra:logs", "apm", "uptime", "siem", "kibana:dev_tools", "monitoring", "kibana:management"]
      jwt_auth:
        name: "webseal"
        roles: ["Role_kibana_readonly_blueprism"]

    jwt:
    - name: webseal
      signature_algo: RSA
      signature_key: "<MY PUBLIC KEY>"
      user_claim: sub
      roles_claim: groups
      header_name: jwt

elasticsearch.yml

cluster.name: rortest
node.name: U-114-270-028-ROR
network.host: U-114-270-028
http.port: 9210
transport.port: 9538

xpack.security.enabled: false

discovery.zen.ping.unicast.hosts: ["U-114-270-028"]
cluster.initial_master_nodes: 
   - U-114-270-028-ROR

kibana.yml

server.port: 5610

server.host: "localhost"

server.basePath: "/kibana"
server.rewriteBasePath: false

elasticsearch.hosts: "http://U-114-270-028:9210"

xpack.graph.enabled: false
xpack.ml.enabled: false
xpack.monitoring.enabled: true
xpack.security.enabled: false
xpack.watcher.enabled: false

readonlyrest_kbn.forward_auth_header: jwt
elasticsearch.requestHeadersWhitelist: [jwt]
#readonlyrest_kbn.jwt_query_param: "jwt"

#Real username and password stored in keystore. For reference https://www.elastic.co/guide/en/kibana/current/secure-settings.html
#elasticsearch.username: "kibana"
#elasticsearch.password: "kibana"
readonlyrest_kbn.clearSessionOnEvents: ["never"]

Decoded JWT

{
  "sub": "G019496",
  "iss": "https://www.example.com",
  "aud": "urn:liberty",
  "iat": 1566801867,
  "exp": 1566805467,
  "sess": "f2cdaec0-c7cc-11e9-a8b8-005056824880",
  "groups": [
    "Role_kibana_admin_blueprism",
    "not_relevant_role_1",
    "not_relevant_roles_2",
    "not_relevant_roles_3",
    "not_relevant_roles_4",
    "not_relevant_roles_5",
    "not_relevant_roles_6",
    "not_relevant_roles_7",
    "not_relevant_roles_8",
    "not_relevant_roles_9",
    "not_relevant_roles_10",
    "not_relevant_roles_11",
    "not_relevant_roles_12"
  ]
}

We have a PR pending that fixes exactly this, will hand you a pre-build soon.

1 Like

Just upgraded to 1.18.5 and I still can’t see the tenancy selector. Is there something wrong with my config or are you still working on this issue? Thanks.

When you login as a user that is supposed to have a tenancy selector, what do you read in Kibana logs?
I’m looking for this log line:

server log [04:46:51.878] [info][readonlyrest_kbn:enrichFromEs] received identity payload: {“x-ror-username”:“admin”,“x-ror-current-group”:“ROR (admin)”,“x-ror-available-groups”:[“ROR (admin)”,“Infosec”],“x-ror-kibana_access”:“admin”}

@sscarduzio
When a user logs in I see the following line in the logs.

 [16:39:07.618] [warning][readonlyrest_kbn:ensureIndexExists] error writing default space to .kibana {}

I made a post about this as well: Error writing to defaul space .kibana {} - #3 by sscarduzio
Might be related?