Deny access to some indices. Unexpected behavior

elasticsearch and kibana version: 8.7.1
readonlyrest version: 1.52

readonlyrest.yml

readonlyrest:
  response_if_req_forbidden: Forbidden by ReadonlyREST ES plugin
  access_control_rules:

  - name: "local user: elasticsearch"
    type: allow
    auth_key: mydomain-elasticsearch:PASSWORD

  - name: "local user: kibana"
    kibana:
      access: unrestricted
    type: allow
    auth_key: kibana_system:PASSWORD

  - name: "local user: logstash"
    type: allow
    auth_key: mydomain-elk-logstash:PASSWORD
  
  - name: "disable index kubernetes-logs for kibana users"
    type: forbid
    indices: ["kubernetes-logs-*"]
    proxy_auth:
      proxy_auth_config: "myproxy"
      users: ["*"]
    ldap_authorization:
      name: "myldap"
      groups: ["mydomain-log-users"]

  - name: "kibana users"
    kibana_access: "admin"
    proxy_auth:
      proxy_auth_config: "myproxy"
      users: ["*"]
    ldap_authorization:
      name: "myldap"
      groups: ["mydomain-log-users"]
  
  proxy_auth_configs:
  - name: "myproxy"
    user_id_header: "X-Forwarded-User"
  
  ldaps:
  - name: myldap
    host: "mydomain.local"
    port: 3268
    ssl_enabled: false
    ssl_trust_all_certs: true
    ignore_ldap_connectivity_problems: true
    bind_dn: "BIND_DN"
    bind_password: "PASSWORD"
    search_user_base_DN: "BASE_DN"
    user_id_attribute: "sAMAccountName"
    search_groups_base_DN: "GROUP_BASE_DN"
    unique_member_attribute: "member"
    connection_pool_size: 20
    connection_timeout: 1s
    request_timeout: 2s
    cache_ttl_in_sec: 300
    group_search_filter: "(objectClass=group)(|(CN=mydomain-log-*)(CN=Domain Admins))"
    group_name_attribute: "cn"
    circuit_breaker:
      max_retries: 2
      reset_duration: 5s

Trying to log in to kibana. After entering login and password, the browser redirects to /s/default/app/home and after 2-3 seconds it redirects again to /logout?msg=AUTHENTICATION_ERROR&next=%2Fs%2Fdefault%2Fapp%2Fhome
I get a 401 error on this page

in elasticsearch’s logs I get this error:

{"@timestamp":"2023-10-20T11:50:26.989Z", "log.level": "INFO", "message":"\u001B[35mFORBIDDEN by { name: 'disable index kubernetes-logs for kibana users', policy: FORBID, rules: [proxy_auth,ldap_authorization,indices] req={ ID:632502794-909410523#2825, TYP:ClosePointInTimeRequest, CGR:mydomain-log-users, USR:testvina, BRS:true, KDX:null, ACT:indices:data/read/close_point_in_time, OA:10.244.3.244/32, XFF:192.168.104.184, DA:10.244.3.248/32, IDX:<N/A>, MET:DELETE, PTH:/_pit, CNT:<OMITTED, LENGTH=181.0 B> , HDR:Accept-Charset=utf-8, Authorization=<OMITTED>, Content-Length=181, Host=poc-elasticsearch-elk:9200, accept=application/vnd.elasticsearch+json; compatible-with=8, connection=close, content-type=application/vnd.elasticsearch+json; compatible-with=8, elastic-apm-traceparent=00-68e724b7f9fb5e997d8da0f1f37428de-3ceddc6bfb7281b0-00, traceparent=00-68e724b7f9fb5e997d8da0f1f37428de-3ceddc6bfb7281b0-00, tracestate=es=s:0, user-agent=Kibana/8.7.1, x-elastic-client-meta=es=8.6.0p,js=16.19.1,t=8.3.1,hc=16.19.1, x-elastic-product-origin=kibana, x-forwarded-for=192.168.104.184, x-forwarded-user=testvina, x-opaque-id=unknownId, x-ror-correlation-id=472890d6-0b4e-4065-9239-efe7eff66ba8, x-ror-kibana-request-method=get, x-ror-kibana-request-path=/s/default/api/saved_objects_tagging/tags, HIS:[local user: elasticsearch-> RULES:[auth_key->false]], [local user: kibana-> RULES:[auth_key->false]], [local user: logstash-> RULES:[auth_key->false]], [disable index kubernetes-logs for kibana users-> RULES:[proxy_auth->true, ldap_authorization->true, indices->true] RESOLVED:[user=testvina;group=mydomain-log-users;av_groups=mydomain-log-users]], }\u001B[0m", "ecs.version": "1.2.0","service.name":"ES_ECS","event.dataset":"elasticsearch.server","process.thread.name":"scala-execution-context-global-46","log.logger":"tech.beshu.ror.accesscontrol.logging.AccessControlLoggingDecorator","elasticsearch.cluster.uuid":"z42tAjymTnqbhssmHV2MOA","elasticsearch.node.id":"ZWZN_R2YQxSvX-mrFqzR5w","elasticsearch.node.name":"poc-elasticsearch-elk-0","elasticsearch.cluster.name":"poc-elasticsearch"}

The error itself shows that there is no index reference (IDX:<N/A>), but for some reason the rule “disable index kubernetes-logs for kibana users-> RULES:[proxy_auth->true, ldap_authorization->true, indices->true” is triggered

can you tell me how to fix this?

@roman.vinnichenko

I see the request DELETE /_pit was matched by disable index kubernetes-logs for kibana users block. If any request matches the block, it will be FORBIDDEN (this is how you configured it).

Everything is OK and expected. The ClosePointInTimeRequest is treated by ROR as a request that doesn’t involve indices (IDX:<N/A>) because it doesn’t refer to an index directly (but it obviously refers indirectly, though the PIT id).

Maybe you should use here the extended version of the indices rule:

indices:
  patterns: ["kubernetes-logs-*"]`
  must_involve_indices: true

In this case the ClosePointInTimeRequest won’t match the block because it doesn’t involve the indices.

Now the login process runs normally. But another problem is reproduced
I have created two Data Views:
index-teat-*
kubernetes-logs-*

If a user from mydomain-log-users AD group clicks on Discover, he is redirected to /logout?msg=AUTHENTICATION_ERROR&next=%2Fs%2Fdefault%2Fapp%2Fdiscover%23%2F and again requires BASIC authorization.

This problem was not observed in elasticsearch version 7.16.2 (readonlyrest version: 1.49). Instead of a logout, there was just a message that access to this data was denied.

I need all users from mydomain-log-users AD group to have RO access everywhere except kubernetes-logs-* indexes
@coutoPL, please help me to create a proper configuration file.

image875×504 20.9 KB

sure, I will help.
Please, take a look at the ES logs and try to find the FORBIDDEN log (or another purple one). Show us the log and we will tell you what’s going on.

@coutoPL, in elasticsearch logs, the rule “disable index kubernetes-logs for kibana users” is expectedly triggered. This is because user testvina opened “kubernetes-logs-*” Data Views in a previous session (when access was not yet blocked). This seems to have been saved in elasticsearch/kibana itself. But logoff was occurring while doing so. I set the “prompt_for_basic_auth: false” parameter in the settings and now instead of logoff we get a message about denying access to this data. This is what we wanted to achieve. Thank you for your help, for pointing us in the right direction to solve the problem.