Elasticsearch gives information from a fobidden index to user


(Rodrigo) #1

Hi all,

I started to use ReadonlyREST a few days ago and I was having a very good experience.

I’ve installed to use Elasticsearch as a Multi-Tenant enviorement.

Everything was going really fine, until I found an unexpected problem.

I have two indexes: testea and testeb.

So, I’ve created an Index Pattern in Kibana with the name teste*.

After that, I built some visualizations with the “teste*” as the source and putted them on a dashboard.

I was planning to use 3 users:

  • teste: Allowed to visualize testea and testeb.
  • testea: Allowed to visualize testea.
  • testeb: Allowed to visualize testeb.

The my intention was to use the same dashboard to login with the 3 users and have distinct access.

And my plan is working and is not working.

The histogram and metric are working perfectly on the dashboard (they are providing only the values for the allowed index).

However, the pies and bars are returning the information of all indexes, even the forbidden ones.

The strangest thing is that it only happens in the dashboard page, when I click to check the visualization on the visualization page of the pies and the bars, it works as it is expected.

I’ve already tried to rebuild the dashboard, visualization and nothing.

Would you please help me to clarify?

Thank’s!


Follow the elasticsearch.yml:

cluster.name: Testando

network.host: localhost

readonlyrest:

enable: true

ssl:
  enable: false

response_if_req_forbidden: Forbidden by ReadonlyREST ES plugin

access_control_rules:

- name: "::LOGSTASH::"
  auth_key: logstash:logstash
  actions: ["cluster:monitor/main","indices:admin/types/exists","indices:data/read/*","indices:data/write/*","indices:admin/template/*","indices:admin/create"]

- name: "ADMIN"
  auth_key_sha1: bbf1cd559a7b422b91cc2eff0ff5f033244e1885

- name: "Teste"
  auth_key: teste:teste
  kibana_access: ro
  indices: [".kibana", "testea", "testeb"]

- name: "Testea"
  auth_key: testea:testea
  kibana_access: ro
  indices: [".kibana", "testea"]

- name: "Testeb"
  auth_key: testeb:testeb
  kibana_access: ro
  indices: [".kibana", "testeb"]

(Rodrigo) #2

Adding necessary information:
I’m running Kibana and Elasticsearch version 5.4


(Simone Scarduzio) #3

Hello @rodrigodrbrasil what plugin version is this? Smells like a bug I fixed recently…


(Rodrigo) #4

Thank’s for the quick response!

Name: readonlyrest
Description: Safely expose Elasticsearch REST API
Version: 1.16.6


(Rodrigo) #5

I installed the new version 1.16.7 and now it’s working like magic.

Thank you very much!


(Simone Scarduzio) #6

Haha that’s exactly what I meant :slight_smile:

There’s a few more bugs I fixed in the 1.16.8 which is coming out tomorrow, but they are not security critical like this.

BTW Are you using also the Kibana plugin?


(Rodrigo) #7

Thank’s, I’ll check out this new version.

Actually, I didn’t know about the Kibana plugin, I’m using only the Elasticsearch plugin.


(Simone Scarduzio) #8

@rodrigodrbrasil in the meanwhile I released the 1.16.8 with even more minor fixes. Take that one from the official download page.

About the Kibana plugin, you’ll find more info here.