[DONE] Kibana_access: ro does not match 'short url'


(Psaiz) #1

Hi Simone,

The settings of ‘kibana_access: ro’ is very useful to grant read only permission to kibana. One issue at the moment is that this particular setting does not allow writing short url (goingt to ‘Share-> Short url’.

At the moment, to go around the issue, we have configrued two rules, one with the kibana_access:ro and a second one like

- indices:
  - cert*
  - ".kibana"
  - ".kibana_cert"
  kibana_access: ro
  kibana_index: ".kibana_cert"
  name: es-cert kibana_reader
  type: allow

- indices:
  - ".kibana_cert"
  methods:
  - POST
  name: es-cert kibana_short_url
  type: allow
  uri_re: "^/.kibana_cert/(index-pattern|url)/.*"

Would it be possible to include the rule of writing the url directly in the kibana_access:ro, so that the second rule would not be needed anymore?

For information, this is what we see in the log file for these type of actions

[2017-05-04T14:49:58,060][INFO ][o.e.p.r.IndexLevelActionFilter] [q500N6i] forbidden request: { ID:85889154425c494693a3baad9b381a1d, TYP:IndexRequest, USR:null, BRS:false, ACT:indices:data/write/index, OA:127.0.0.1, IDX:.kibana, MET:POST, PTH:/.kibana/index-pattern/job, CNT:<OMITTED, LENGTH=1416>, HDR:cookie,x-forwarded-proto,host,x-forwarded-port,connection,content-type,x-forwarded-for,Content-Length, EFF:0, HIS:[Checkin kibana_ro->[kibana_access->false]], [Hello->[actions->false]] } Reason: null (null)


Thanks,
pablo


(Simone Scarduzio) #2

Hey Pablo,
I expanded the macro “kibana_access: ro” to include the same effect of your “es-cert kibana_short_url” rule.
And added a “kibana_access: ro_strict” macro to behave like formerly “ro” did in 1.14.x.