Elasticsearch / Kibana 7.0.1 & Readonlyrest v1.18.0 Enterprise

hassen · May 20, 2019, 9:47am

Hello,

I use Elasticsearch and Kibana 7.0.1 OSS (Apache 2).
When I try to create an index from the console in Kibana, I receive the following message :

{
"error": {
   "root_cause": [
    {
      "reason": "forbidden"
    }
  ],
  "reason": "forbidden"
  },
 "status": 403
}

In kibana.yml file, I set up the credential to connect to ES :

elasticsearch.username: "kibana"
elasticsearch.password: "kibana"

in readonlyrest.yml file, I all setup the authentication for Kibana

  - name: "Kibana Server"
    type: allow
    auth_key: kibana:kibana

Here is the error message in ES :

FORBIDDEN by default req={  ID:697986956-214118377#551,  TYP:CreateIndexRequest,    CGR:MY-AD-GROUP,  USR:[user not logged],  BRS:false,  KDX:null,  ACT:indices:admin/create,  OA:127.0.0.1/32,  XFF:x-forwarded-for=127.0.0.1,  DA:127.0.0.1/32,  IDX:<N/A>,  MET:PUT,  PTH:/test?pretty,  CNT:<N/A>,  HDR:Connection=close, Content-Length=0, Host=localhost:9200, authorization=<OMITTED>, x-forwarded-for=127.0.0.1, x-forwarded-host=epf-slap-11.ep.parl.union.eu, x-forwarded-port=46084, x-forwarded-proto=http, x-ror-current-group=MY-AD-GROUP,  HIS:[logstash with write and create permissions for its own indices->[auth_key->false]], [Kibana Server->[auth_key_sha256->false]], [Application users->[ldap_auth->false]], [Administrator->[ldap_auth->true, kibana_access->false]]  }

Thanks for help
H.

sscarduzio · May 20, 2019, 3:57pm

Hi @hassen,
As you can see, the LDAP authentication is succeeding, but the kibana_access rule is preventing the request from being accepted.

This is normal and intended. When you specify a kibana_access rule with any value (even admin!) the permissions are going to be restricted to allow the minimum set of actions that are typical of a Kibana data-browsing session. For example, the user will be allowed to create dashboards and visualizations, but not delete/modify/create data indices.

If you intend to have a user with the permission to send arbitrary commands through dev-tools, just comment the “kibana_access” rule from their block.

The kibana_access rule is described in the docs: readonlyrest-docs/elasticsearch.md at master · beshu-tech/readonlyrest-docs · GitHub

hassen · May 21, 2019, 6:57am

I commented the “kibana_access” rule for LDAP users and It is working now.

Thanks.